Using 802.1x with UNP

[jaygro]

Currently, we are using UNP on our 6850E's to assign access based on MAC addresses.
For several reasons, we would like to user 802.1x instead of MAC addresses. Unfortunately, from what I can gather from the documentation, it seems like 802.1x only supports per-port settings on the 6850E. Before delving too deeply into this, can anyone confirm that?

[silvio]

long ago that I have configured this at 6850 (end of sale many years ago).
But I am sure you can configure it at cli with port-ranges (similar to mac-auth).
BR Silvio

[davidb]

That's an issue we had as well. I ended up writing a loop in python with the configuration and ran that through ssh (not console). It was a rough script but got the job done.

[jaygro]

long ago that I have configured this at 6850 (end of sale many years ago).

EoS indeed... but very much still alive

But I am sure you can configure it at cli with port-ranges (similar to mac-auth).

Can't find anything in the Network Technology manual nor the command line that suggests that it is remotely possible for UNP. Only `mac-auth` seems available.

Individual single user ports, no problem. Multi-user UNP ports... not at all. Can't even get it to set a port to "mobile vlan mode"... and it doesn't even give me an error on the first try.

Code: Select all

test-6850E -> vlan port mobile 1/19
test-6850E -> vlan port mobile 1/19
ERROR: Port is absent or not a mobility candidate (tagged, aggregable, stacking, mirroring or vpls_access port)

[jaygro]

That's an issue we had as well. I ended up writing a loop in python with the configuration and ran that through ssh (not console). It was a rough script but got the job done.

Could you expound on what the script did? The way I understand UNP, I don't see how I should be able to interject myself/a script into the supplicant process.

Again, the issue isn't really the configuration for normal 802.1x but for user profile setups where a single port can have multiple users at the other end.

[davidb]

That's an issue we had as well. I ended up writing a loop in python with the configuration and ran that through ssh (not console). It was a rough script but got the job done.

Could you expound on what the script did? The way I understand UNP, I don't see how I should be able to interject myself/a script into the supplicant process.

Again, the issue isn't really the configuration for normal 802.1x but for user profile setups where a single port can have multiple users at the other end.

Maybe I'm misunderstanding what the original issue was. I was assuming you meant having to configure each port with the 802.1x settings that is needed. This is where the code came into play.

Specifically for 802.1x and UNP...you have to create the UNP profile, the ports need to be mobile and then configured for 802.1X. Whatever you're using as your policy server would need to send that UNP tag back to the switch and then the vlan will be assigned as a mobile tag if it is not the default VLAN.

For example:
aaa authentication 802.1x "server-name"
aaa authentication mac "server-name"
aaa user-network-profile name "UNP-MGMT" vlan <vlan id> hic disable
aaa user-network-profile name "UNP-PHONES" vlan <vlan id> hic disable

802.1x 1/5 direction in port-control auto quiet-period 60 tx-period 30 supp-timeout 30 server-timeout 30 max-req 2 re-authperiod 3600 no reauthentication
802.1x 1/5 captive-portal session-limit 12 retry-count 3
802.1x 1/5 captive-portal inactivity-logout disable
802.1x 1/5 supp-polling retry 2
802.1x 1/5 supplicant policy authentication pass group-mobility default-vlan fail block
802.1x 1/5 non-supplicant policy authentication pass group-mobility default-vlan fail block
802.1x 1/5 captive-portal policy authentication pass default-vlan fail block

[jaygro]

Specifically for 802.1x and UNP...you have to create the UNP profile, the ports need to be mobile and then configured for 802.1X. Whatever you're using as your policy server would need to send that UNP tag back to the switch and then the vlan will be assigned as a mobile tag if it is not the default VLAN.

Got the profile set up and UNP working with UNP on a 6860E

However,
1. In the 6850E manual, there's no mention of interplay between 802.1x and UNP, only MAC and UNP (which we've got working fine in production), and
2. Port mobility is not working; not sure if it's a software issue (I think I'm running the _penultimate_ version of OS-OS)

Code: Select all

test-6850E -> vlan port mobile 1/19
test-6850E -> vlan port mobile 1/19
ERROR: Port is absent or not a mobility candidate (tagged, aggregable, stacking, mirroring or vpls_access port)

I'll try digging through our archives to find the last version and report back.

[davidb]

It looks like you have some type of other configuration on the port that is stopping it from becoming mobile. Check for everything in the error message. Search in your config snapshot (use more and then filter for your interface: </> for filter then *1/19* for filter pattern) for anything that is configured on that port and remove it before trying again. It may be easier to disable the port before removing config to avoid any errors. For reference we've had this in place for a few years now so I can't imagine you being on a version where this is unsupported. My reference switch is running 6.4.6.440.R01
This is my filtered output:

Code: Select all

Enter filter pattern: *1/5*
vlan 240 port default 1/5
vlan port mobile 1/5
vlan port 1/5 802.1x enable
802.1x 1/5 direction both port-control auto quiet-period 60 tx-period 30 supp-timeout 30 server-timeout 30 max-req 2 re-authperiod 3600 no reauthentication
802.1x 1/5 captive-portal session-limit 12 retry-count 3
802.1x 1/5 captive-portal inactivity-logout disable
802.1x 1/5 supp-polling retry 2
802.1x 1/5 supplicant policy authentication pass group-mobility default-vlan fail block
802.1x 1/5 non-supplicant policy authentication pass group-mobility default-vlan fail block
802.1x 1/5 captive-portal policy authentication pass default-vlan fail block

[silvio]

davidb is correct and the message is clear: "ERROR: Port is absent or not a mobility candidate (tagged, aggregable, stacking, mirroring or vpls_access port)".
regards
Silvio

[jaygro]

There are no other configuration lines affecting said port (nor range commands covers the port in question).

Also, what clearly stands out to me is that it allows the port-mobility command once per port, per boot and only sending an error message on the repetition on the command. After neither issuance of the command is it added to the configuration snapshot, though.

I was about to paste in some more examples from the switch, but... now it... seems... to work?! That's unexpected, but I am not at the office today so I can't test if it actually works, but now it accepts the

Code: Select all

vlan port mobile 1/19
vlan port mobile 1/19

pair.

So stay tuned!