Hi, let start with what is working
I successfully install, configure and got it running for the past month a NPS server (2008R2) with all wireless device on our lan.
mobility switch AOS-W 6.0.1.3
12 Access Point
NPS serveur
Laptop
smartphone
NPS
All those part are working
Now i try to enable 802.1x on wired switch i am doing my test on a 6250 switch. So far here the command i enter for configuration
vlan port 3/8 802.1x enable <-- my PC port on switch
aaa user-network-profile name Data vlan 1
aaa user-network-profile name VoIP vlan 2
aaa classification-rule mac-address 00:e0:b1:ae:9d:c6 00:e0:b1:ea:9d:e1 user-network-profile VoIP
802.1x 3/8 supplicant policy authentification fail user-network-profile VoIP
802.1x 3/8 non-supplicant policy authentification pass fail block
What i have to deal with are mobile vlan NEC ip phone plus computer connected to (WIndows 7 PC) SO i thinks my previous command are doing:
enable 802.1x on port of test pc
Creating 2 profiles i will use to authentification
i try to not authentificate ip phone by putting them in VoIP profiles by MAC adresse (we use this information so switch can put phone in vlan 2 and other in vlan1)
I am really not sure about supplicant, non-supplicant and profiles i read doc but there are not so clear or i misunderstood them
With those command authentification doesn't go to NPS server
here a my radius server configuration:
-> show aaa server
Server name = server1
Server type = RADIUS,
IP Address 1 = 10.132.177.63,
Retry number = 3,
Time out (sec) = 2,
Authentication port = 40,
Accounting port = 41,
Nas port = default,
Nas port id = disable,
Nas port type = ethernet,
Mac Addr Format Status = disable,
Mac Address Format = lowercase,
Unique Acct Session Id = enable
Server name = server2
Server type = RADIUS,
IP Address 1 = 10.132.134.27,
Retry number = 3,
Time out (sec) = 2,
Authentication port = 1812,
Accounting port = 1813,
Nas port = default,
Nas port id = disable,
Nas port type = ethernet,
Mac Addr Format Status = disable,
Mac Address Format = lowercase,
Unique Acct Session Id = disable
when i try
aaa test-radius-server server2 type authentication user CROM\lagmar password "Password"
Access-Challenge from 10.132.134.27 Port 1812 Time: 517 ms
Reply from 10.132.134.27 port 1812 req_num<0>: timeout
Reply from 10.132.134.27 port 1812 req_num<1>: timeout
Reply from 10.132.134.27 port 1812 req_num<2>: timeout
Reason Code: 3
Reason: The RADIUS Request message that Network Policy Server received from the network access server was malformed.
Command 802.1x Alcatel with mobile port
-
yangg
Re: Command 802.1x Alcatel with mobile port
find one error:
replace
aaa classification-rule mac-address 00:e0:b1:ae:9d:c6 00:e0:b1:ea:9d:e1 user-network-profile VoIP
by:
aaa classification-rule mac-address-range 00:60:b9:00:00:00 00:60:b9:ff:ff:ff user-network-profile VoIP
But still doesn't receive authentification on Radius server
replace
aaa classification-rule mac-address 00:e0:b1:ae:9d:c6 00:e0:b1:ea:9d:e1 user-network-profile VoIP
by:
aaa classification-rule mac-address-range 00:60:b9:00:00:00 00:60:b9:ff:ff:ff user-network-profile VoIP
But still doesn't receive authentification on Radius server
-
yangg
Re: Command 802.1x Alcatel with mobile port
thanks everyone, i fix my problem. Actually everything is working except the nec ip phone doesn't pass authentification to the switch or switch doesn't want 2 device on one port
-
devnull
Re: Command 802.1x Alcatel with mobile port
I think i have seen with multiple devices behind one port on a 6250 so it is probably the phone..
-
yangg
Re: Command 802.1x Alcatel with mobile port
Yes this is why i call NEC, they say phone doesn't filter anything. so i try a show 802.1x non-supplicant and see both mac addresse. one is accepted and the other one is blk-block. i guess the switch doesn't want to pass authentication for both device on same port ? Could that be a problem with mobile port configuration ? i am not the person who configure the switch for VoIP.
Thanks
Thanks
-
benny
Re: Command 802.1x Alcatel with mobile port
The configuration that you posted is incomplete. The OS6250 definitely supports more than one non-supplicant/supplicant per port.
Did you configure "aaa authentication mac server1" and "aaa authentication 802.1x server1"?
If you just wanted to have group-mobility, then there is no need for all the authentication.
Your current configuration doesn't tell the switch to do group-mobility as you removed those options from the CLI that you posted.
Kindly post a full configuration output.
B
Did you configure "aaa authentication mac server1" and "aaa authentication 802.1x server1"?
If you just wanted to have group-mobility, then there is no need for all the authentication.
Your current configuration doesn't tell the switch to do group-mobility as you removed those options from the CLI that you posted.
Kindly post a full configuration output.
B
-
yangg
Re: Command 802.1x Alcatel with mobile port
Thanks benny for the reply i will post full config of switch tomorrow around 8h30Am GMT-5
for now i am at home and can post you with this part for now. I am not the guy who setup switch for VoIP.
> show configuration snapshot aaa
! AAA :
aaaradius-server "CRDI06CROM01464" host 10.132.177.63 key 6ce776aaca17893fc172076692cf3c68 retransmit 3 timeout 5 auth-port 40 acct-port 41 mac-address-format-status enable mac-address-format lowercase
aaaradius-server "CRDI06CROM01270(NPS)" host 10.132.134.27 key f70f71f6633015f29f2f22c74757b70e retransmit 3 timeout 5 auth-port 1812 acct-port 1813 mac-address-format-status enable mac-address-format lowercase unique-acct-session-id enable
aaaauthentication default "local"
aaaauthentication console "local"
aaaauthentication snmp "local"
aaaauthentication 802.1x "CRDI06CROM01270(NPS)" "CRDI06CROM01464"
aaaauthentication mac "CRDI06CROM01270(NPS)" "CRDI06CROM01464"
aaaaccounting 802.1x "CRDI06CROM01270(NPS)" "CRDI06CROM01464"
aaaaccounting mac "CRDI06CROM01270(NPS)" "CRDI06CROM01464"
aaauser-network-profile name "DATA" vlan 1 hic disable
aaauser-network-profile name "VoIP" vlan 2 hic disable
aaaclassification-rule mac-address-range 00:60:b9:00:00:00 00:60:b9:ff:ff:ff user-network-profile name "VoIP"
! PARTM :
! 802.1x :
802.1x3/8 direction both port-control auto quiet-period 60 tx-period 30 supp-timeout 30 server-timeout 30 max-req 2 re-authentication
802.1x3/8 captive-portal session-limit 12 retry-count 3
802.1x3/8 supp-polling retry 2
802.1x3/8 captive-portal inactivity-logout disable
802.1x3/8 supplicant policy authentication pass vlan 1 block fail block
802.1x3/8 non-supplicant policy group-mobility block
802.1x3/8 captive-portal policy authentication pass default-vlan fail block
-> show 802.1x non-supplicant
Slot MAC MAC Authent Classification Vlan
Port Address Status Policy Learned
-----+-----------------+----------------+-------------------+--------
03/08 00:60:b9:5c:e4:ed N/A Basic-UNP-AAA Rule 2
03/08 18:03:73:d2:51:ae N/A Basic-Blk 1
If you can provide me with the command to show VoIP conf it will be nice
for now i am at home and can post you with this part for now. I am not the guy who setup switch for VoIP.
> show configuration snapshot aaa
! AAA :
aaaradius-server "CRDI06CROM01464" host 10.132.177.63 key 6ce776aaca17893fc172076692cf3c68 retransmit 3 timeout 5 auth-port 40 acct-port 41 mac-address-format-status enable mac-address-format lowercase
aaaradius-server "CRDI06CROM01270(NPS)" host 10.132.134.27 key f70f71f6633015f29f2f22c74757b70e retransmit 3 timeout 5 auth-port 1812 acct-port 1813 mac-address-format-status enable mac-address-format lowercase unique-acct-session-id enable
aaaauthentication default "local"
aaaauthentication console "local"
aaaauthentication snmp "local"
aaaauthentication 802.1x "CRDI06CROM01270(NPS)" "CRDI06CROM01464"
aaaauthentication mac "CRDI06CROM01270(NPS)" "CRDI06CROM01464"
aaaaccounting 802.1x "CRDI06CROM01270(NPS)" "CRDI06CROM01464"
aaaaccounting mac "CRDI06CROM01270(NPS)" "CRDI06CROM01464"
aaauser-network-profile name "DATA" vlan 1 hic disable
aaauser-network-profile name "VoIP" vlan 2 hic disable
aaaclassification-rule mac-address-range 00:60:b9:00:00:00 00:60:b9:ff:ff:ff user-network-profile name "VoIP"
! PARTM :
! 802.1x :
802.1x3/8 direction both port-control auto quiet-period 60 tx-period 30 supp-timeout 30 server-timeout 30 max-req 2 re-authentication
802.1x3/8 captive-portal session-limit 12 retry-count 3
802.1x3/8 supp-polling retry 2
802.1x3/8 captive-portal inactivity-logout disable
802.1x3/8 supplicant policy authentication pass vlan 1 block fail block
802.1x3/8 non-supplicant policy group-mobility block
802.1x3/8 captive-portal policy authentication pass default-vlan fail block
-> show 802.1x non-supplicant
Slot MAC MAC Authent Classification Vlan
Port Address Status Policy Learned
-----+-----------------+----------------+-------------------+--------
03/08 00:60:b9:5c:e4:ed N/A Basic-UNP-AAA Rule 2
03/08 18:03:73:d2:51:ae N/A Basic-Blk 1
If you can provide me with the command to show VoIP conf it will be nice
-
benny
Re: Command 802.1x Alcatel with mobile port
Right now it doesn't matter what application is running on top of those devices (voip, printing, whatever) - we want to find out why your network doesn't behave as it should.
The configuration you posted for port 3/8 does not go to the Radius server for MAC addresses
- This is due to the missing "authentication" in the command, it should read: "802.1x 3/8 non-supplicant policy authentication <whatever you now want for pass / fail>"
If "authentication" is missing it will do all actions locally, this configuration doesn't match what you posted earlier.
B
The configuration you posted for port 3/8 does not go to the Radius server for MAC addresses
- This is due to the missing "authentication" in the command, it should read: "802.1x 3/8 non-supplicant policy authentication <whatever you now want for pass / fail>"
If "authentication" is missing it will do all actions locally, this configuration doesn't match what you posted earlier.
B
-
yangg
Re: Command 802.1x Alcatel with mobile port
Ok, this my problem with 802.1x command i don't know how to use them. I try to read 6800 pdf. they are giving example. i still can't figure how to use them.
What i am trying to do is:
authentication of computer against NPS server, we use PEAP with doamin computer, (certificate). after i will use 802.1x non-supplicant because i do have a policy on my NPS for device without certificat feature (PAP= they have a AD account with mac address as username and password) . And third i want to put all NEC IP phone in VLAN2 (this is where they are actually) based on the mac address:
aaaclassification-rule mac-address-range 00:60:b9:00:00:00 00:60:b9:ff:ff:ff user-network-profile name "VoIP"
AS we can see in the output i think i manage to do that ? but i still need to add authentication in command:
802.1x3/8 non-supplicant policy group-mobility block
like
802.1x3/8 non-supplicant policy authentification group-mobility block
I have difficulty understanding the pass fail block.
Thanks you and sorry i was suppose to post more config output but i was on a emergency and didn't go to client site
What i am trying to do is:
authentication of computer against NPS server, we use PEAP with doamin computer, (certificate). after i will use 802.1x non-supplicant because i do have a policy on my NPS for device without certificat feature (PAP= they have a AD account with mac address as username and password) . And third i want to put all NEC IP phone in VLAN2 (this is where they are actually) based on the mac address:
aaaclassification-rule mac-address-range 00:60:b9:00:00:00 00:60:b9:ff:ff:ff user-network-profile name "VoIP"
AS we can see in the output i think i manage to do that ? but i still need to add authentication in command:
802.1x3/8 non-supplicant policy group-mobility block
like
802.1x3/8 non-supplicant policy authentification group-mobility block
I have difficulty understanding the pass fail block.
Thanks you and sorry i was suppose to post more config output but i was on a emergency and didn't go to client site
-
benny
Re: Command 802.1x Alcatel with mobile port
Hi,
If you want to go to the RADIUS server for each MAC-Address that you're learning on a switch port, the config has too look like this:
Here is some more explanation:
"supplicant" means it talks to the switch with EAP and everything needed for 802.1x-based authentications (think of a device that can do 802.1x)
"non-supplicant" are devices that don't know EAP and all the 802.1x-based stuff (note that most of the equipment today should be capable of doing it, so make sure your phones are not accidently replying to the 802.1x)
You'll be in the "pass" order of items if the RADIUS server will "ACCESS ACCEPT" the MAC address of the NEC telephone (for that you'll need to do configuration on the NPS!). Assuming the MAC address is allowed in, the switch will (and only then) follow the "group-mobility" rules that you created. If you "fail" it will block the access from happening.
Here is a diagram that I liked to show during my customer/partner conferences: I hope this makes things more clear ... you see that you need "authentication" to be in the correct tree.
Benny
If you want to go to the RADIUS server for each MAC-Address that you're learning on a switch port, the config has too look like this:
Code: Select all
802.1x 3/8 supplicant policy authentication pass vlan 1 block fail block
802.1x 3/8 non-supplicant policy authentication pass group-mobility fail block
"supplicant" means it talks to the switch with EAP and everything needed for 802.1x-based authentications (think of a device that can do 802.1x)
"non-supplicant" are devices that don't know EAP and all the 802.1x-based stuff (note that most of the equipment today should be capable of doing it, so make sure your phones are not accidently replying to the 802.1x)
You'll be in the "pass" order of items if the RADIUS server will "ACCESS ACCEPT" the MAC address of the NEC telephone (for that you'll need to do configuration on the NPS!). Assuming the MAC address is allowed in, the switch will (and only then) follow the "group-mobility" rules that you created. If you "fail" it will block the access from happening.
Here is a diagram that I liked to show during my customer/partner conferences: I hope this makes things more clear ... you see that you need "authentication" to be in the correct tree.
Benny
You do not have the required permissions to view the files attached to this post.
