Hi all,
We are trying to implement a standard configuration on all interfaces of our switches with 802.1X authentication falling back to MAC authentication. All of our ports are configured with an unused vlan in access, needing authentication to assign the correct vlan via UNP profiles. However, we are facing issues with 802.1X/MAC authentication expiration with silent devices (printers and industrial devices) that do not emit traffic and expire from the authentication / MAC address table.
The situation is the following, taking the example of a printer:
1. The printer boots up, generates traffic requesting an IP via DHCP.
2. The switch authenticates the printer via MAC after falling back from 802.1X.
3. The printer is associated to the correct vlan and can then communicate and be reached from the network.
4. If no further request is made to the printer, the authentication expires and the mac ages out from the table.
5. If a device is trying to reach the printer, as the vlan is no longer assigned to the port, the ARP never reaches the device and the device is not reachable anymore from the network.
To work around that, we are aware of the "unp vlan" command, that we can use either in our UNP template or directly on the port:
unp port-template ###UNP_TEMPLATE_NAME### vlan ###SILENT_VLAN_ID###
unp port ###PORT_ID### vlan ###SILENT_VLAN_ID###
However, this is:
1. Less secure: as traffic is passed in egress to the port, meaning unauthenticated devices can gather information about internal network communications
2. Not scalable: that might work with one or a few vlans, but if silent devices are scattered across numerous vlans, this sends egress traffic of all these vlans on all ports configured with the unp template.
At the moment we have implemented this solution and have developed additional configuration with QoS filtering on the broadcast and multicast traffic to restrict what is being sent on all ports, but we would like to find a more secure and scalable solution.
In Cisco we use the SISF device tracking functionality, which allows the switch to trigger an ARP request to devices that are close to expire from the table, maintaining those devices alive as there is active communication. More information about that functionality can be found here : https://www.cisco.com/c/en/us/td/docs/s ... cking.html
Is anyone here aware of any mechanism that would be close to what we use in Cisco on AOS 8 ? Or other configuration in AOS8 that could be more secure and scalable ?
Thank you for your attention!
Silent devices keepalive with 802.1X authentication
Re: Silent devices keepalive with 802.1X authentication
Hi, this is a very interesting question. I have only one idea - not to open this vlan(s) at the template but only at the ports with printers. But than you don't have the benefit of the mobilty of all your devices. So the best idea is to open a ticket at ALE with your which. Maybe there is a solution for you.
BR Silvio
BR Silvio
Re: Silent devices keepalive with 802.1X authentication
Hello silvio,
Thank you for your reply ! We have already opened a ticket with Alcatel, without much luck for now, and we are in discussion with our technical contact as well
But I wanted to know if anyone out here might have a suggestion or had encountered the same situation and found a workaround for it that would be cleaner
If anyone has an idea, we are interested!
Thank you for your reply ! We have already opened a ticket with Alcatel, without much luck for now, and we are in discussion with our technical contact as well
But I wanted to know if anyone out here might have a suggestion or had encountered the same situation and found a workaround for it that would be cleaner
If anyone has an idea, we are interested!
Jump to
- General topics
- ↳ Talk to the admins
- ↳ GENERAL
- ↳ Outside World
- ↳ PARTS
- ↳ Pre-Sales
- ↳ JOBS
- ↳ Remote assistance contracts
- ↳ Actis
- ↳ Equipement Pictures
- ↳ OT/OXE/OXO FEATURES REQUESTS
- ↳ Lucent Technologies
- IF YOU ARE NOT TECHNICALLY TRAINED ON THOSE PBX, PLEASE POST IN ONE OF THOSE FORUMS
- ↳ Beginner's questions about the Crystal Hardware
- ↳ Beginner's questions about the Common Hardware
- ↳ Beginner's questions about the (4400 / Enterprise) PHONE APPLICATION or OPERATING SYSTEM
- ↳ Beginner's questions about the OmniPCX OFFICE
- VOICE - Documentation
- ↳ OXE (Crystal / Common) - System Documentation
- ↳ 4760
- ↳ OXO - System Documentation
- ↳ Documentation
- VOICE - OXE (OmniPCX Enterprise)
- ↳ Shelf
- ↳ Media Gateway
- ↳ PWT/DECT System
- ↳ System
- ↳ Translator
- ↳ Classes of Services
- ↳ Attendant
- ↳ Users
- ↳ Users by profile
- ↳ Set Profile
- ↳ Groups
- ↳ Speed Dialing
- ↳ Phone Book
- ↳ Entities
- ↳ Trunk Groups
- ↳ External Services
- ↳ Inter-Node Links
- ↳ X25
- ↳ Data
- ↳ Application
- ↳ Specific Telephone Services
- ↳ ATM
- ↳ Event Routing Discriminator
- ↳ Security and Access Control
- ↳ IP
- ↳ SIP
- ↳ DHCP Configuration
- ↳ Alcatel-Lucent Series 8&9
- ↳ SIP Extension
- ↳ Encryption
- ↳ Passive Communication Server
- ↳ SNMP Configuration
- VOICE - OXE - Common topics
- ↳ MAIN
- ↳ ACTIS
- ↳ Asterisk
- ↳ Boards
- ↳ Bugs & Security issues
- ↳ Equipment Pictures
- ↳ Feature Request
- ↳ H323 / Sip
- ↳ IP / VoIP
- ↳ IP SECURITY / ENCRYPTION (Thales)
- ↳ ipTouch (40x8) issues and tricks
- ↳ Linux tricks
- ↳ MOH
- ↳ ON SITE TROUBLES
- ↳ Phones
- ↳ Sipfoundry
- ↳ Software Loading
- ↳ Swinst
- ↳ System Hacking
- ↳ Traces
- ↳ Usefull commands
- ↳ Voice Guides
- ↳ VMWARE
- ↳ Wireless configuration and sets
- VOICE - OpenTouch
- ↳ MAIN
- ↳ OTEC - OpenTouch Enterprise Cloud
- ↳ OTBE - OpenTouch Business Edition
- ↳ OTMS - OpenTouch Multimedia Services
- ↳ OTSBC - OpenTouch Session Border Controller
- ↳ OTNS - OpenTouch Notification Service
- ↳ OTMC - OpenTouch Message Center
- ↳ OTFC - OpenTouch Fax Center
- ↳ OpenTouch Conversation
- ↳ Smart Guest Applications
- VOICE - BiCS
- ↳ MAIN
- VOICE - OXO
- ↳ MAIN
- ↳ Configuration
- ↳ 42xx Systems
- ↳ Networking
- ↳ H323 / IP / Pimphony
- ↳ Internet and related
- ↳ Applications
- ↳ Hotel mode
- ↳ DECT
- ↳ Hardware
- VOICE - Omni Suite
- ↳ OmniTouch 8400 Instant Communication Suite
- ↳ OmniTouch 8410 Instant Communication Web Services
- ↳ OmniTouch 8440 Messaging Software
- ↳ OmniTouch 8450 Fax Software
- ↳ OmniTouch 8460 Advanced Communication Server
- ↳ OmniTouch 8464 Meet-me Audio Conference Bridge
- ↳ OmniTouch 8660 My Teamwork Conferencing and Collaboration
- ↳ OmniTouch 8670 Automated Message Delivery System
- ↳ OmniTouch Contact Center Standard Edition
- ↳ OmniTouch Contact Center Premium Edition
- VOICE - Applications
- ↳ AECS - Alcatel Extended Communication Server
- ↳ Alcatel OpenTouch Customer Service
- ↳ Aviso
- ↳ Call Center SoftPanel (ALU ProServices)
- ↳ CCD / CCS / CCIVR
- ↳ Free Desktop
- ↳ GENESYS
- ↳ Hotel / Hospital
- ↳ Ip Desktop Softphone
- ↳ IpTouch Phones XML Applications
- ↳ MSAD
- ↳ MyIC (My Instant Communicator)
- ↳ My Messaging / IMAP
- ↳ My Teamwork (ex-eDial)
- ↳ OmniPCX Record
- ↳ OmniVista 4760
- ↳ OmniVista 8770
- ↳ OTUC
- ↳ PREMIUM / GCE
- ↳ Rainbow
- ↳ Ubiquity
- ↳ ENS - Emergency Notification Server
- ↳ VNA - Visual Notification Assistant
- ↳ VAA - Visual Auto Attendant
- ↳ VitalSuite
- ↳ VitalQIP
- ↳ Voicemail (46x5)
- ↳ XML Presentation Server & TAPI Server
- ↳ 4980 - WebSoftPhone
- ↳ 4625 Interactive Voice Response
- VOICE - Third Party Applications
- ↳ AGITO NETWORKS
- ↳ AUDIOCODES
- ↳ ASTERISK
- ↳ AVST
- ↳ CISCO
- ↳ NGINX
- ↳ NICE
- ↳ Notification Systems
- ↳ OAK
- ↳ SOURCE TECH
- ↳ systel
- ↳ IP Touch apps
- ↳ Click2Dial
- ↳ MYIC apps
- Alcatel Unleashed tools, documentations, and misc files...
- ↳ DIALER
- ↳ VM_BACKUP
- ↳ ipview analyzer
- ↳ "Home Made" documentations
- ↳ Alcatel Misc Documentation
- ↳ infocollect
- ↳ motview
- ↳ Other Alcatel-Lucent tools
- ↳ OFFICIAL TC's
- ↳ sngrep
- Developer's corner
- ↳ AHL / OHL
- ↳ Alarming, Notification & Location
- ↳ CCTI / CCA
- ↳ CSTA
- ↳ My IC Phone
- ↳ My IP Touch Service for Enterprise
- ↳ O2G
- ↳ OmniVista 8770 User Provisioning
- ↳ SIP
- ↳ TAPI
- ↳ TSAPI
- ↳ Web Services
- Alcatel Data Equipment
- ↳ Security
- ↳ OmniAccess 3500 Nonstop Laptop Guardian
- ↳ Mobility
- ↳ OmniAccess WLAN Switching Systems
- ↳ OmniAccess WLAN 4302
- ↳ OmniAccess Wireless Access Points 41
- ↳ OmniAccess Wireless Access Points 65
- ↳ OmniAccess Wireless Access Points 60/61/70
- ↳ OmniAccess Wireless Access Points 80M
- ↳ Mobile IP Phones
- ↳ OmniAccess Devices
- ↳ OmniAccess 5780
- ↳ OmniAccess 5740
- ↳ OmniAccess 5510
- ↳ Network Management
- ↳ Omnivista
- ↳ Omnivista Mobility Manager
- DATA - Documentation
- ↳ Technical papers
- ↳ Troubleshooting guides
- DATA - Lan Switching
- ↳ OmniSwitch 10k
- ↳ OmniSwitch 9900
- ↳ OmniSwitch 9000 / 9000E
- ↳ OmniSwitch 6900
- ↳ OmniSwitch 6865
- ↳ OmniSwitch 6860 / 6860E
- ↳ OmniSwitch 6855
- ↳ OmniSwitch 6850 / 6850E
- ↳ OmniSwitch 6560
- ↳ OmniSwitch 6465
- ↳ OmniSwitch 6450
- ↳ OmniSwitch 6400
- ↳ OmniSwitch 6360
- ↳ OmniSwitch 6350
- ↳ OmniSwitch 6250
- ↳ OmniSwitch 2220
- ↳ OmniSwitch 2260 / 2360
- ↳ Legacy Devices (OS4024, XOS, OmniCore)
- ↳ OmniSwitch 6600 / 7000 / 8800
- ↳ OmniSwitch 6800
- ↳ OmniStack LS 6200
- ↳ Misc
- DATA - WLAN, Mobility and WAN
- ↳ OmniAccess WLAN Switching Systems (OEM)
- ↳ OmniAccess Wireless Access Points
- ↳ Mobile IPTouch Phones (MIPT)
- ↳ OmniAccess Stellar Express
- ↳ OmniAccess Stellar Enterprise
- ↳ OmniAccess 3500 Nonstop Laptop Guardian
- ↳ Brick VPN Firewall
- ↳ OmniAccess 5740/5780
- ↳ OmniAccess ESR 5720
- ↳ OmniAccess 5510
- DATA - Network Management
- ↳ OmniVIsta 3600 Air Manager
- ↳ OmniVista 2500 v4.x
- ↳ OmniVista 2500 v3.5
- ↳ OmniVista 2500/2700 v3.4 and older
- ↳ OmniVista Cirrus
- ↳ Alcatel Quarantine Manager
- ↳ Fortigate Security
- DATA - Service Provider
- ↳ 5520 ASAM
- ↳ 5620 SAM
- ↳ 5650 CPAM
- ↳ 5670 RAM
- ↳ 5750 SSC
- ↳ 7210 SAS
- ↳ 7360 ISAM
- ↳ 7450 ESS
- ↳ 7450 Ethernet Service Switch
- ↳ 7750 Service Router
- ↳ 7705 SAR
- ↳ 7750 SR