This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Extreme Networks
- Community List
- Wireless
- ExtremeWireless (WiNG)
- Test wlan that will uses eap ms-chapv2 self-contr...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Test wlan that will uses eap ms-chapv2 self-controller to authenticate
Test wlan that will uses eap ms-chapv2 self-controller to authenticate
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
06-13-2017 12:40 PM
I have created on onboard Radius and role based firewall, ( sort of )
so this is what I have done so far,
from the CLI
#conf
# radius-server-policy RADIUS
# commit write
#radius-group Guest
#guest
#..
radius-group Corp
#..
radius-user-pool CORP-USER
User UKROI password #976301234 group corp
#commit write
#profile rfs7000 default-rfs7000
#use radius-server--policy RADIUS
#commit write
# role-policy RBFW
#user-role Guest precedence 1
#assign vlan 999
#ssid contains Guest
#..
#user-role Corp precedence 2
#assign vlan 1000
#group exact Corp
#commit write
#aaa-policy INTERNAL-AAA
#authentication server 1 onboard-controller
I have created a wlan and assigned the aaa-policy INTERNAL_AAA
then in the ap profile under settings I have added the RBFW in the wireless client role policy
The problem I have
I only have two prodution vlan's so I can not put the AAA server to these, but I need to get to a server on the main VLAN
I can see the Dot1x wlan that is part of the test, If I use my mobile phone and try to connect it prompts for a usernsme and a password as it should, I then put thses details is
select the ms-chapv2, then you have an option about certificate he I select none
then under the username it show anonymous
then drop to password enter this
then it shows connecting then gives up.
Now I think its due to the fact that Vlan 999 & 1000 do not have any dhcp server to give the device and IP
So can I setup a dhcp server on the RFS7k ( wing 5.8.5 ) that will only dish out addresses on the dot1x wlan ? then route off to our main vlan to attach to atest server
Lot of information and questions - but any help appreciated
so this is what I have done so far,
from the CLI
#conf
# radius-server-policy RADIUS
# commit write
#radius-group Guest
#guest
#..
radius-group Corp
#..
radius-user-pool CORP-USER
User UKROI password #976301234 group corp
#commit write
#profile rfs7000 default-rfs7000
#use radius-server--policy RADIUS
#commit write
# role-policy RBFW
#user-role Guest precedence 1
#assign vlan 999
#ssid contains Guest
#..
#user-role Corp precedence 2
#assign vlan 1000
#group exact Corp
#commit write
#aaa-policy INTERNAL-AAA
#authentication server 1 onboard-controller
I have created a wlan and assigned the aaa-policy INTERNAL_AAA
then in the ap profile under settings I have added the RBFW in the wireless client role policy
The problem I have
I only have two prodution vlan's so I can not put the AAA server to these, but I need to get to a server on the main VLAN
I can see the Dot1x wlan that is part of the test, If I use my mobile phone and try to connect it prompts for a usernsme and a password as it should, I then put thses details is
select the ms-chapv2, then you have an option about certificate he I select none
then under the username it show anonymous
then drop to password enter this
then it shows connecting then gives up.
Now I think its due to the fact that Vlan 999 & 1000 do not have any dhcp server to give the device and IP
So can I setup a dhcp server on the RFS7k ( wing 5.8.5 ) that will only dish out addresses on the dot1x wlan ? then route off to our main vlan to attach to atest server
Lot of information and questions - but any help appreciated
24 REPLIES 24
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
06-13-2017 01:53 PM
The AAA service is only used on the WLAN if you call for it to be used. I suspect the role policy might have something to do with that. In reality you don't really need the role policy here. You're trying to change the vlan based on the name of the ssid, but that is something that you can define in a wlan.
Consider the following:
wlan corp
ssid corp
vlan 1
encryption-type ccmp
authentication-type none
wpa-wpa2 psk 0 some-secret-key
...
wlan test
ssid test
vlan 1
encryption-type ccmp
authentication-type eap
use aaa-policy your-aaa-server-policy
...
In the above scenario both corp and test are using vlan 1, but corp uses WPA2-PSK and test uses WPA2-Enterprise (dot1x).
Consider the following:
wlan corp
ssid corp
vlan 1
encryption-type ccmp
authentication-type none
wpa-wpa2 psk 0 some-secret-key
...
wlan test
ssid test
vlan 1
encryption-type ccmp
authentication-type eap
use aaa-policy your-aaa-server-policy
...
In the above scenario both corp and test are using vlan 1, but corp uses WPA2-PSK and test uses WPA2-Enterprise (dot1x).
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
06-13-2017 01:43 PM
I think I tried that, but I must have done something wrong, as all the users on the wifi were being prompted for a username and password, I must have done something wrong with regards the AAA server ? - there is no AAA server/service on vlan1.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
06-13-2017 01:29 PM
If you want to test proof of concept, I would suggest you make your test wlan terminate on vlan 1. This will keep it simple and allow you to demonstrate the peap authentication without having to re-engineer your network.
There is no restriction on having multiple WLANs with different security levels all connect to the same vlan.
There is no restriction on having multiple WLANs with different security levels all connect to the same vlan.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
06-13-2017 01:23 PM
Hi Andrew
thanks for the very swift response, So I have setup the test wlan the device that will connect via this is a tablet, all the test wlan is for is to prove that our device will support peap.
so the devBod at our place has asked if its possible to
connect to the dot1x network - with a username and passord that he has supplied me, then for it to connect to a test server on a different vlan ( vlan 1 )
.
so on the switch there is no DHCP server running.
so the device will be on vlan 999 but the test server is on vlan 1. ( it looks like this might get complicated )
thanks for the very swift response, So I have setup the test wlan the device that will connect via this is a tablet, all the test wlan is for is to prove that our device will support peap.
so the devBod at our place has asked if its possible to
connect to the dot1x network - with a username and passord that he has supplied me, then for it to connect to a test server on a different vlan ( vlan 1 )
.
so on the switch there is no DHCP server running.
so the device will be on vlan 999 but the test server is on vlan 1. ( it looks like this might get complicated )
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
06-13-2017 01:01 PM
The RFS can act as a DHCP server quite easily
For example:
dhcp-server-policy RFS
dhcp-pool Guest
network 10.254.254.0/24
address range 10.254.254.10 10.254.254.254
default-router 10.254.254.1
dns-server 8.8.8.8 8.8.4.4In the RFS's config you need to "use" the dhcp server policy to activate it.
You also need to have a switch virtual interface vlan defined in the same subnet, and this same vlan # must be used in the WLAN config.
You can use the "show ip dhcp status" command to verify that the DHCP server is actually running.
Lastly, how do you plan on getting return traffic back to vlan 999 or 1000 ? IE: if a host on vlan 999 communicates with server X, it will receive the packet just fine, but how is it going to know where to send the reply to?
For example:
dhcp-server-policy RFS
dhcp-pool Guest
network 10.254.254.0/24
address range 10.254.254.10 10.254.254.254
default-router 10.254.254.1
dns-server 8.8.8.8 8.8.4.4In the RFS's config you need to "use" the dhcp server policy to activate it.
You also need to have a switch virtual interface vlan defined in the same subnet, and this same vlan # must be used in the WLAN config.
You can use the "show ip dhcp status" command to verify that the DHCP server is actually running.
Lastly, how do you plan on getting return traffic back to vlan 999 or 1000 ? IE: if a host on vlan 999 communicates with server X, it will receive the packet just fine, but how is it going to know where to send the reply to?
