802.1x and 802.1q

Post Reply
zio
Member
Posts: 3
Joined: 11 Mar 2019 09:02

802.1x and 802.1q

Post by zio » 11 Mar 2019 09:23

Hi all,

I'm new with Alcatel switches. I'm currently trying to configure 802.1x on port that have tagged vlan. Our goal is to authenticate CPE with 802.1x, ports connected to these CPEs have up to 5 tagged vlans allowed. This setup is working with some other switch vendors.

From the documentation this setup seems to be not possible on OS6400.

In fact I'm already stuck on the 'vlan port mobile' configuration:
-> vlan port mobile 1/10
ERROR: Port is absent or not a mobility candidate (tagged, aggregable, stacking, mirroring or vpls_access port)

An exemple of the current 802.1x config and the config of the port 1/10:
aaa radius-server "dot1x_radius" host 192.168.1.1 key d677d90111162ebb7161c0858c2acba38 retransmit 3 timeout 2 auth-port 1812 acct-port 1813
aaa authentication 802.1x "dot1x_radius"
!
vlan 10 port default 1/10
!
qos port 1/10 trusted default classification 802.1p
!
port mapping 1 user-port 1/10
!
vlan 11 802.1q 1/10 "TAG PORT 1/10 VLAN 11"
vlan 22 802.1q 1/10 "TAG PORT 1/10 VLAN 22"
vlan 23 802.1q 1/10 "TAG PORT 1/10 VLAN 23"
vlan 24 802.1q 1/10 "TAG PORT 1/10 VLAN 24"
vlan 55 802.1q 1/10 "TAG PORT 1/10 VLAN 25"

Does anyone know if this kind of setup is possible and if yes have an exemple ?

Thanks in advance !

silvio
Alcatel Unleashed Certified Guru
Alcatel Unleashed Certified Guru
Posts: 1393
Joined: 01 Jul 2008 10:51
Location: Germany

Re: 802.1x and 802.1q

Post by silvio » 12 Mar 2019 16:13

Correct, for 802.1x the port has to be mobile. But tagging is not allowed at mobile ports.... beside "mobile tag".
For this you disable the vlan tags for all the ports (biside the uplink to other switches), make the port mobile and allow vlan tag for all necessary vlans.
vlan 11 mobile-tag enable etc....
regards
Silvio

zio
Member
Posts: 3
Joined: 11 Mar 2019 09:02

Re: 802.1x and 802.1q

Post by zio » 13 Mar 2019 11:02

Hi Silvio,

Thanks for the help, I was able to enable the 802.1x on the port.
The supplicant on the end device successfully authenticate but the traffic is not allowed.

How can I allow my tagged vlans when the supplicant is authenticated ?
In the configuration guide they talk about Group Mobility to allow vlan but I don't understand how to configure that.

my current config:
vlan 11 mobile-tag enable
vlan 22 mobile-tag enable
vlan 23 mobile-tag enable
vlan 24 mobile-tag enable
!
vlan 10 port default 1/20
!
vlan port mobile 1/20
vlan port 1/20 802.1x enable
802.1x 1/20 supplicant policy authentication pass group-mobility default-vlan fail block

Olivier

silvio
Alcatel Unleashed Certified Guru
Alcatel Unleashed Certified Guru
Posts: 1393
Joined: 01 Jul 2008 10:51
Location: Germany

Re: 802.1x and 802.1q

Post by silvio » 15 Mar 2019 11:19

Hi Oliver,
for this you need the ip-net as classifitation feature (vlan isn't possible):

Code: Select all

802.1x 1/20 non-supplicant policy group-mobility       
aaa user-network-profile name VL11 vlan 11
aaa user-network-profile name VL22 vlan 22
aaa user-network-profile name VL23 vlan 23
aaa classification-rule ip-address 10.1.11.0 mask 255.255.255.0 user-network-profile VL11
aaa classification-rule ip-address 10.1.22.0 mask 255.255.255.0 user-network-profile VL22
aaa classification-rule ip-address 10.1.23.0 mask 255.255.255.0 user-network-profile VL23
you can check with "show aaa-device all-users"

regards
Silvio

zio
Member
Posts: 3
Joined: 11 Mar 2019 09:02

Re: 802.1x and 802.1q

Post by zio » 21 Mar 2019 02:38

Hi Silvio,

Thanks for the tips, I will test that.

Regards,
Olivier

Post Reply

Return to “OmniSwitch 6400”