Using 802.1x with UNP
Using 802.1x with UNP
Currently, we are using UNP on our 6850E's to assign access based on MAC addresses.
For several reasons, we would like to user 802.1x instead of MAC addresses. Unfortunately, from what I can gather from the documentation, it seems like 802.1x only supports per-port settings on the 6850E. Before delving too deeply into this, can anyone confirm that?
For several reasons, we would like to user 802.1x instead of MAC addresses. Unfortunately, from what I can gather from the documentation, it seems like 802.1x only supports per-port settings on the 6850E. Before delving too deeply into this, can anyone confirm that?
I'm only used to Cisco yet here I am :-)
Re: Using 802.1x with UNP
long ago that I have configured this at 6850 (end of sale many years ago).
But I am sure you can configure it at cli with port-ranges (similar to mac-auth).
BR Silvio
But I am sure you can configure it at cli with port-ranges (similar to mac-auth).
BR Silvio
Re: Using 802.1x with UNP
That's an issue we had as well. I ended up writing a loop in python with the configuration and ran that through ssh (not console). It was a rough script but got the job done.
Re: Using 802.1x with UNP
EoS indeed... but very much still alive
Can't find anything in the Network Technology manual nor the command line that suggests that it is remotely possible for UNP. Only `mac-auth` seems available.
Individual single user ports, no problem. Multi-user UNP ports... not at all. Can't even get it to set a port to "mobile vlan mode"... and it doesn't even give me an error on the first try.
Code: Select all
test-6850E -> vlan port mobile 1/19
test-6850E -> vlan port mobile 1/19
ERROR: Port is absent or not a mobility candidate (tagged, aggregable, stacking, mirroring or vpls_access port)
I'm only used to Cisco yet here I am :-)
Re: Using 802.1x with UNP
Could you expound on what the script did? The way I understand UNP, I don't see how I should be able to interject myself/a script into the supplicant process.
Again, the issue isn't really the configuration for normal 802.1x but for user profile setups where a single port can have multiple users at the other end.
I'm only used to Cisco yet here I am :-)
Re: Using 802.1x with UNP
Maybe I'm misunderstanding what the original issue was. I was assuming you meant having to configure each port with the 802.1x settings that is needed. This is where the code came into play.jaygro wrote: ↑23 Nov 2021 04:13Could you expound on what the script did? The way I understand UNP, I don't see how I should be able to interject myself/a script into the supplicant process.
Again, the issue isn't really the configuration for normal 802.1x but for user profile setups where a single port can have multiple users at the other end.
Specifically for 802.1x and UNP...you have to create the UNP profile, the ports need to be mobile and then configured for 802.1X. Whatever you're using as your policy server would need to send that UNP tag back to the switch and then the vlan will be assigned as a mobile tag if it is not the default VLAN.
For example:
aaa authentication 802.1x "server-name"
aaa authentication mac "server-name"
aaa user-network-profile name "UNP-MGMT" vlan <vlan id> hic disable
aaa user-network-profile name "UNP-PHONES" vlan <vlan id> hic disable
802.1x 1/5 direction in port-control auto quiet-period 60 tx-period 30 supp-timeout 30 server-timeout 30 max-req 2 re-authperiod 3600 no reauthentication
802.1x 1/5 captive-portal session-limit 12 retry-count 3
802.1x 1/5 captive-portal inactivity-logout disable
802.1x 1/5 supp-polling retry 2
802.1x 1/5 supplicant policy authentication pass group-mobility default-vlan fail block
802.1x 1/5 non-supplicant policy authentication pass group-mobility default-vlan fail block
802.1x 1/5 captive-portal policy authentication pass default-vlan fail block
Re: Using 802.1x with UNP
Got the profile set up and UNP working with UNP on a 6860Edavidb wrote: ↑23 Nov 2021 10:33 Specifically for 802.1x and UNP...you have to create the UNP profile, the ports need to be mobile and then configured for 802.1X. Whatever you're using as your policy server would need to send that UNP tag back to the switch and then the vlan will be assigned as a mobile tag if it is not the default VLAN.
However,
1. In the 6850E manual, there's no mention of interplay between 802.1x and UNP, only MAC and UNP (which we've got working fine in production), and
2. Port mobility is not working; not sure if it's a software issue (I think I'm running the _penultimate_ version of OS-OS)
Code: Select all
test-6850E -> vlan port mobile 1/19
test-6850E -> vlan port mobile 1/19
ERROR: Port is absent or not a mobility candidate (tagged, aggregable, stacking, mirroring or vpls_access port)
I'm only used to Cisco yet here I am :-)
Re: Using 802.1x with UNP
It looks like you have some type of other configuration on the port that is stopping it from becoming mobile. Check for everything in the error message. Search in your config snapshot (use more and then filter for your interface: </> for filter then *1/19* for filter pattern) for anything that is configured on that port and remove it before trying again. It may be easier to disable the port before removing config to avoid any errors. For reference we've had this in place for a few years now so I can't imagine you being on a version where this is unsupported. My reference switch is running 6.4.6.440.R01
This is my filtered output:
This is my filtered output:
Code: Select all
Enter filter pattern: *1/5*
vlan 240 port default 1/5
vlan port mobile 1/5
vlan port 1/5 802.1x enable
802.1x 1/5 direction both port-control auto quiet-period 60 tx-period 30 supp-timeout 30 server-timeout 30 max-req 2 re-authperiod 3600 no reauthentication
802.1x 1/5 captive-portal session-limit 12 retry-count 3
802.1x 1/5 captive-portal inactivity-logout disable
802.1x 1/5 supp-polling retry 2
802.1x 1/5 supplicant policy authentication pass group-mobility default-vlan fail block
802.1x 1/5 non-supplicant policy authentication pass group-mobility default-vlan fail block
802.1x 1/5 captive-portal policy authentication pass default-vlan fail block
Re: Using 802.1x with UNP
davidb is correct and the message is clear: "ERROR: Port is absent or not a mobility candidate (tagged, aggregable, stacking, mirroring or vpls_access port)".
regards
Silvio
regards
Silvio
Re: Using 802.1x with UNP
There are no other configuration lines affecting said port (nor range commands covers the port in question).
Also, what clearly stands out to me is that it allows the port-mobility command once per port, per boot and only sending an error message on the repetition on the command. After neither issuance of the command is it added to the configuration snapshot, though.
I was about to paste in some more examples from the switch, but... now it... seems... to work?! That's unexpected, but I am not at the office today so I can't test if it actually works, but now it accepts the
pair.
So stay tuned!
Also, what clearly stands out to me is that it allows the port-mobility command once per port, per boot and only sending an error message on the repetition on the command. After neither issuance of the command is it added to the configuration snapshot, though.
I was about to paste in some more examples from the switch, but... now it... seems... to work?! That's unexpected, but I am not at the office today so I can't test if it actually works, but now it accepts the
Code: Select all
vlan port mobile 1/19
vlan port mobile 1/19
So stay tuned!
I'm only used to Cisco yet here I am :-)