This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Extreme Networks
- Community List
- Wireless
- ExtremeWireless (WiNG)
- RE: PacketFence and Summit switches
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
PacketFence and Summit switches
PacketFence and Summit switches
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
07-31-2014 11:37 AM
Sorry for the amount of detail, but we are trying to setup PacketFence with our Summit switches and I think everything looks fine on the PacketFence side, but I keep getting the following on the test switch:
07/30/2014 13:47:39.42 Slot-1: Authentication failed for Network Login MAC user 3C970EADB66B Mac 3C:97:0E:AD:B6:6B port 5:13
07/30/2014 13:47:39.42 Slot-1: No response from server 172.22.0.3 trying local.
07/30/2014 13:47:39.42 Slot-1: No servers responding
07/30/2014 13:47:36.42 Slot-1: Resend request to Authentication Server address 172.22.0.3 current request count is 2
07/30/2014 13:47:33.41 Slot-1: Resend request to Authentication Server address 172.22.0.3 current request count is 1
What steps can I perform on the switch to verify connectivity? I can ping/trace to the PacketFence server from the switch.
We have PacketFence installed on a server (172.22.0.3). We have three interfaces defined in PacketFence: Management (172.22.0.3/23), Isolation (12.22.2.3/23), and Registration (172.22.38.3/23). Those interfaces are plugged into our core Extreme Networks Summit switch into matching VLANs: “Internal_Appliances” (172.22.0.1/23), “MAC_Isolation” (172.22.2.1/23), and “MAC_Registration” (172.22.38.1/23).
That switch is then uplinked to our desktop switch, where we have created a “MAC_Isolation” (172.22.2.2/23), “MAC_Registration” (172.22.38.2/23), MAC_Temp (no IP), and “Desktops” (172.22.34.2/23). We want the ports to eventually end up in the “Desktops” VLAN after authorization.
The steps below were performed on the Extreme switch to which the desktops are connected, using Port 5:13 as our test.
create vlan MAC_Registration
config vlan "MAC_Registration" tag 369
create vlan MAC_Temp
enable snmp access
configure snmp add trapreceiver 172.22.0.3 community public vr VR-DEFAULT
configure vlan MAC_Registration add ports 5:13 untagged
configure ports 5:13 vlan MAC_Registration lock-learning
disable snmp traps port-up-down ports 5:13
configure radius netlogin primary server 172.22.0.3 1812 client-ip 172.22.32.2 vr VR-Default
configure radius netlogin primary shared-secret (password)
enable radius netlogin
configure netlogin vlan MAC_Temp
enable netlogin mac
configure netlogin dynamic-vlan enable
configure netlogin dynamic-vlan uplink-ports 4:45
configure netlogin mac authentication database-order radius
enable netlogin ports 5:13 mac
configure netlogin ports 5:13 mode port-based-vlans
configure netlogin ports 5:13 no-restart
The results of “show netlogin” and “show radius” on the switch returns the following:
Slot-1 Stack.4 # show netlogin
NetLogin Authentication Mode : web-based DISABLED; 802.1x DISABLED; mac-based ENABLED
NetLogin VLAN : "MAC_Temp"
NetLogin move-fail-action : Deny
NetLogin Client Aging Time : 5 minutes
Dynamic VLAN Creation : Enabled
Dynamic VLAN Uplink Ports : 4:45
------------------------------------------------
Web-based Mode Global Configuration
------------------------------------------------
Base-URL : network-access.com
Default-Redirect-Page : ENABLED; http://www.extremenetworks.com
Logout-privilege : YES
Netlogin Session-Refresh : ENABLED; 3 minute(s) 0 second(s)
Refresh failures allowed : 0
Reauthenticate on refresh: Disabled
Authentication Database : Radius, Local-User database
Proxy Ports : 80(http),443(https)
------------------------------------------------
------------------------------------------------
802.1x Mode Global Configuration
------------------------------------------------
Quiet Period : 60
Supplicant Response Timeout : 30
Re-authentication period : 3600
Max Re-authentications : 3
RADIUS server timeout : 30
EAPOL MPDU version to transmit : v1
Authentication Database : Radius
------------------------------------------------
------------------------------------------------
MAC Mode Global Configuration
------------------------------------------------
MAC Address/Mask Password (encrypted) Port(s)
-------------------- ------------------------------ ------------------------
Default any
Re-authentication period : 0 (Re-authentication disabled)
Authentication Database : Radius
------------------------------------------------
Port: 5:13, Vlan: MAC_Registration, State: Enabled, Authentication: mac-based
Guest Vlan: Disabled
Authentication Failure Vlan: Disabled
Authentication Service-Unavailable Vlan: Disabled
MAC IP address Authenticated Type ReAuth-Timer User
3c:97:0e??b6:6b 0.0.0.0 No MAC 0
-----------------------------------------------
(B) - Client entry Blackholed in FDB
Number of Clients Authenticated : 0
Slot-1 Stack.5 # show radius
Switch Management Radius: disabled
Switch Management Radius server connect time out: 3 seconds
Switch Management Radius Accounting: disabled
Switch Management Radius Accounting server connect time out: 3 seconds
Netlogin Radius: enabled
Netlogin Radius server connect time out: 3 seconds
Netlogin Radius Accounting: disabled
Netlogin Radius Accounting server connect time out: 3 seconds
Primary Netlogin Radius server:
Server name :
IP address : 172.22.0.3
Server IP Port: 1812
Client address: 172.22.38.2 (VR-Default)
Shared secret : 2\q;sJ;@F=8Bjn
Access Requests : 13752 Access Accepts : 0
Access Rejects : 0 Access Challenges : 0
Access Retransmits: 9168 Client timeouts : 4584
Bad authenticators: 0 Unknown types : 0
Round Trip Time : 0
07/30/2014 13:47:39.42 Slot-1: Authentication failed for Network Login MAC user 3C970EADB66B Mac 3C:97:0E:AD:B6:6B port 5:13
07/30/2014 13:47:39.42
07/30/2014 13:47:39.42
07/30/2014 13:47:36.42
07/30/2014 13:47:33.41
What steps can I perform on the switch to verify connectivity? I can ping/trace to the PacketFence server from the switch.
We have PacketFence installed on a server (172.22.0.3). We have three interfaces defined in PacketFence: Management (172.22.0.3/23), Isolation (12.22.2.3/23), and Registration (172.22.38.3/23). Those interfaces are plugged into our core Extreme Networks Summit switch into matching VLANs: “Internal_Appliances” (172.22.0.1/23), “MAC_Isolation” (172.22.2.1/23), and “MAC_Registration” (172.22.38.1/23).
That switch is then uplinked to our desktop switch, where we have created a “MAC_Isolation” (172.22.2.2/23), “MAC_Registration” (172.22.38.2/23), MAC_Temp (no IP), and “Desktops” (172.22.34.2/23). We want the ports to eventually end up in the “Desktops” VLAN after authorization.
The steps below were performed on the Extreme switch to which the desktops are connected, using Port 5:13 as our test.
create vlan MAC_Registration
config vlan "MAC_Registration" tag 369
create vlan MAC_Temp
enable snmp access
configure snmp add trapreceiver 172.22.0.3 community public vr VR-DEFAULT
configure vlan MAC_Registration add ports 5:13 untagged
configure ports 5:13 vlan MAC_Registration lock-learning
disable snmp traps port-up-down ports 5:13
configure radius netlogin primary server 172.22.0.3 1812 client-ip 172.22.32.2 vr VR-Default
configure radius netlogin primary shared-secret (password)
enable radius netlogin
configure netlogin vlan MAC_Temp
enable netlogin mac
configure netlogin dynamic-vlan enable
configure netlogin dynamic-vlan uplink-ports 4:45
configure netlogin mac authentication database-order radius
enable netlogin ports 5:13 mac
configure netlogin ports 5:13 mode port-based-vlans
configure netlogin ports 5:13 no-restart
The results of “show netlogin” and “show radius” on the switch returns the following:
Slot-1 Stack.4 # show netlogin
NetLogin Authentication Mode : web-based DISABLED; 802.1x DISABLED; mac-based ENABLED
NetLogin VLAN : "MAC_Temp"
NetLogin move-fail-action : Deny
NetLogin Client Aging Time : 5 minutes
Dynamic VLAN Creation : Enabled
Dynamic VLAN Uplink Ports : 4:45
------------------------------------------------
Web-based Mode Global Configuration
------------------------------------------------
Base-URL : network-access.com
Default-Redirect-Page : ENABLED; http://www.extremenetworks.com
Logout-privilege : YES
Netlogin Session-Refresh : ENABLED; 3 minute(s) 0 second(s)
Refresh failures allowed : 0
Reauthenticate on refresh: Disabled
Authentication Database : Radius, Local-User database
Proxy Ports : 80(http),443(https)
------------------------------------------------
------------------------------------------------
802.1x Mode Global Configuration
------------------------------------------------
Quiet Period : 60
Supplicant Response Timeout : 30
Re-authentication period : 3600
Max Re-authentications : 3
RADIUS server timeout : 30
EAPOL MPDU version to transmit : v1
Authentication Database : Radius
------------------------------------------------
------------------------------------------------
MAC Mode Global Configuration
------------------------------------------------
MAC Address/Mask Password (encrypted) Port(s)
-------------------- ------------------------------ ------------------------
Default
Re-authentication period : 0 (Re-authentication disabled)
Authentication Database : Radius
------------------------------------------------
Port: 5:13, Vlan: MAC_Registration, State: Enabled, Authentication: mac-based
Guest Vlan
Authentication Failure Vlan
Authentication Service-Unavailable Vlan
MAC IP address Authenticated Type ReAuth-Timer User
3c:97:0e??b6:6b 0.0.0.0 No MAC 0
-----------------------------------------------
(B) - Client entry Blackholed in FDB
Number of Clients Authenticated : 0
Slot-1 Stack.5 # show radius
Switch Management Radius: disabled
Switch Management Radius server connect time out: 3 seconds
Switch Management Radius Accounting: disabled
Switch Management Radius Accounting server connect time out: 3 seconds
Netlogin Radius: enabled
Netlogin Radius server connect time out: 3 seconds
Netlogin Radius Accounting: disabled
Netlogin Radius Accounting server connect time out: 3 seconds
Primary Netlogin Radius server:
Server name :
IP address : 172.22.0.3
Server IP Port: 1812
Client address: 172.22.38.2 (VR-Default)
Shared secret : 2\q;sJ;@F=8Bjn
Access Requests : 13752 Access Accepts : 0
Access Rejects : 0 Access Challenges : 0
Access Retransmits: 9168 Client timeouts : 4584
Bad authenticators: 0 Unknown types : 0
Round Trip Time : 0
7 REPLIES 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
08-08-2014 07:04 PM
Sorry, I'm not familiar with the way that packet fence operates, however, if it's not routable, then there most likely wouldn't be a way to get a WOL packet to that device unless it's on the same VLAN.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
08-08-2014 06:35 PM
That allows traffic out of the port, but it doesn't help with routing the WOL packet to the device on the port.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
08-08-2014 06:31 PM
Try using 'configure netlogin ports allow egress-traffic all_cast'. This will allow all traffic to egress a port while in the unauthenticated state.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
08-08-2014 05:02 PM
We got this working finally, but now we realized that this method won't allow us to Wake On LAN unless someone has another solution.
Basically, devices are put int the "MAC_Temp" VLAN when powered off which appears to be a L2 VLAN that we can't forward anything to. Does anyone have any solutions on how to work around that?
Also, it looks like 802.1x instead of mac based authentication might allow WOL to work?
Basically, devices are put int the "MAC_Temp" VLAN when powered off which appears to be a L2 VLAN that we can't forward anything to. Does anyone have any solutions on how to work around that?
Also, it looks like 802.1x instead of mac based authentication might allow WOL to work?
