Alcatel Unleashed

Hi guys,
we´re using MacMon as Radius server for automatic vlan assignment (MAC-based) on our HP system.
Now I´d like to use this in our new Alcatel LAN enviroment as well.
Can someone please tell me the 802.1x commands on an Alcatel switch?

Thanks in advance
Thomas

You can find detailed information and examples from ALE in the Network Configuration Guide in section 35 (Access Guardian) but something like this might get you started in the right direction:
This setup gives you 3 vlans, and based on the returned value from MACMON, the relevant MAC gets assigned into either of the 3.
The filter-id MACMON returns must match the unp profile name like-for-like.
Also, there's loads of cavebeats you can add to this, such as redundancy and failover scenarios, and you'll have some additional examples both in the manual and here in the forums if you search for similar AG or 802.1x examples.

Hi Thomas,
I have often seen that the technicans from MACmon prefere to use MAC-based authentication by changing the vlan config in the switch via snmp. This is not possible at UNP-ports. 802.1x like explained is the best way. If you still need MAC-based than you need MAC-authentication against MACmon. This is possible there - but often the MACmon technicans don't know...
BR Silvio

Hi guys,
we´ve decided to use freeradius instead of MacMon. Therefore I´ve got installed a freeradius server with Daloradius Web-Frontend. Everything ist running well. WLAN user authentication is configured with username/password on freeradius, all ist good.
Now I want to authenticate a laptop via MAB on a switchport from my Alcatel switch. I have used the recommended Alcatel configuration for Radius authentication. DHCP relay is configured and running on my switch for VLAN 1 default (getting addresses from a isc-dhcp-server on vlan 1).
As it is only a test, I therefor have configured vlan 1 only for access.
Mac Address from my laptop (20:7B:D2:A3:C2:75) has configured on Freeradius database

aaa radius-server 'Freeradius' host 1.2.3.4 key xxxxxxxx
aaa device-authentication mac 'Freeradius'

unp profile 'ACCOUNTS'
unp profile 'ACCOUNTS' map vlan 1

unp port-template 'TEMPLATE' mac-authentication
unp port 1/1/1 port-type bridge
unp port 1/1/1 port-template 'TEMPLATE'

But I always getting the following error message by Freeradius debugging:

Login incorrect (No Auth-Type found: rejecting the user via Post-Auth-Type = Reject): [207BD2A3C275] (from client private-network-1 port 1001 cli 207BD2A3C275)

Maybe I´m doing something wrong on the Freeradius server but at least I would like to know if the basic configuration for MAB is correct on my Alcatel switch.

Thanks
Thomas

check the output of "show unp user details"

My prefered config is: I had a case some years ago where I needed for mac auth the entry for 802.1x too. Also I prefere an aaa profile and always a default profile (if the auth is not successfull).

For mac auth you have to know that the switch is sending the mac address per default in uppercase without delimiter as user and password.
You see this in your log 207BD2A3C275. So you need in you database this format for user and pw.
Or you change this in the aaa profile f.e. for format 2c:44:fd:36:a1:09 use:
BR Silvio

Hi Silvio,
you`re correct with MAC address, after I configured address without delimeter in format 207BD2A3C275 on freeradius I got a:

Login OK: [207BD2A3C275] (from client private-network-1 port 1001 cli 207BD2A3C275)

But I still get no VLAN ID on that port, will check this with your recommendation and will let you know

Thanks for the time being

Thomas

you need to configure at the RADIUS the returnt attribute "filter-id" - this must be your unp profile.
BR Silvio

Hi Silvio,
i´ve installed the following attributes on Freeradius for Profile VLAN 1:

Tunnel-Type 13 = reply
Tunnel-Medium-Type 6 = reply
Tunnel-Private-Group-ID 1 = reply

The Tunnel-Private-ID should be the Filter-ID. All those attributes are from dictionary.rfc.2868 on Freeradius server.
First and second attributes are given by default RFC2868
Let´s see whether the Alcatel switch works with this profile settings and your preferred config for unp.

Thanks
Thomas

no - Tunnel-Private-Group-ID 1 is direct vlan.
This is possible too - but not recommended by me. F.e. you send the id 1 (means vlan 1) you need to create a unp profile "1" mapped to vlan 1.
better is to use filter-id. Here an example from an user.conf (freeradius):

user-xyz user-password == "xyz...."
Filter-id = ACCOUNTS

Ok Silvio, understand.
Just let me check whether it‘s possible to use filter-id as an
Attribute in my Freeradius Daloradius Web-Gui.

Thanks
Thomas