Newbiew here - help with 802.1x and 6860 8.9

[jmaurin]

Hi!
Is there any tutorial or docs about using 802.1x + dynamic VLAN's in this switch, 6860 with firmware 8.9?
I could find some examples, but most uses edge-profiles, which I could not make work in my firmware version (command doesn't exist).

What I already have:
1) An RADIUS server working (windows active directory NPS)
2) RADIU SErver configured in my 6860 (tested with "aaa test-radius-server")
3) Other switchs working with this setup (HP Switchs)

I know that I need to work with profiles and than send profile-id from my RADIUS, but I don't know how to created and associate those profiles in my 6860 with this firmware.
Any help here? Maybe some tutorial or example.
I already have my VLAN's configured too (Guest, navigation and management vlan's)

Tks!

[silvio]

the unp edge profile was in the first releases of Release 8. You need since a lot of years bridge profiles for vlan mapping.
The name of the unp profile has to be the returned RADIUS attribute filter-id.
More informations you will find in the network configuration guide.
BR Silvio

[silvio]

here is a little example:

Code: Select all

vlan 101 name PC-User-1
vlan 102 name PC-User-2
vlan 99 name Quarantaene
aaa radius-server NPS host 192.168.63.200 key xxx
aaa profile "AAA_1"
aaa profile "AAA_1" device-authentication 802.1x "NPS“
aaa profile "AAA_1" device-authentication mac "NPS“

unp profile PC-USER-1 
unp profile PC-USER-1 map vlan 101
unp profile PC-USER-2 
unp profile PC-USER-2 map vlan 102
unp profile QUARANT
unp profile QUARANT map vlan 99

unp port-template TEMPLATE_1 classification 
unp port-template TEMPLATE_1 mac-authentication
unp port-template TEMPLATE_1 default-profile QUARANT
unp port-template TEMPLATE_1 aaa-profile "AAA_1"

unp port 1/1/1-48 port-type bridge
unp port 1/1/1-48 port-template TEMPLATE_1

[jmaurin]

here is a little example:

Code: Select all

vlan 101 name PC-User-1
vlan 102 name PC-User-2
vlan 99 name Quarantaene
aaa radius-server NPS host 192.168.63.200 key xxx
aaa profile "AAA_1"
aaa profile "AAA_1" device-authentication 802.1x "NPS“
aaa profile "AAA_1" device-authentication mac "NPS“

unp profile PC-USER-1 
unp profile PC-USER-1 map vlan 101
unp profile PC-USER-2 
unp profile PC-USER-2 map vlan 102
unp profile QUARANT
unp profile QUARANT map vlan 99

unp port-template TEMPLATE_1 classification 
unp port-template TEMPLATE_1 mac-authentication
unp port-template TEMPLATE_1 default-profile QUARANT
unp port-template TEMPLATE_1 aaa-profile "AAA_1"

unp port 1/1/1-48 port-type bridge
unp port 1/1/1-48 port-template TEMPLATE_1

Thank you very much Silvio, I'm almost there!
I'm just trying to figure out why I can't associate my port to template create. I don't have any tagged VLAN on this port, but keep getting error "UNP cannot be enabled on Tagged port 1/1/10", no matther what I do.

Code: Select all

-> unp port 1/1/10 port-type bridge
ERROR: UNP cannot be enabled on Tagged port 1/1/10

-> show interfaces 1/1/10
Chassis/Slot/Port          : 1/1/10
 Operational Status        : down,
 Port-Down/Violation Reason: None,
 Last Time Link Changed    : Thu Sep 12 08:50:04 2024,
 Number of Status Change   : 0,
 Type                      : Ethernet,
 SFP/XFP                   : N/A,
 Interface Type            : Copper,
 EPP                       : Disabled,
 Link-Quality              : N/A,
 MAC address               : 94:24:e1:72:99:d7,
 BandWidth (Megabits)      :     -   ,                  Duplex           : -,
 Autonegotiation           :   1  [ 1000-F 100-F 100-H 10-F 10-H ],
 Long Frame Size(Bytes)    : 9216,
 Inter Frame Gap(Bytes)    : 12,
 loopback mode             : N/A,
 Rx              :
 Bytes Received  :                    0, Unicast Frames :                    0,
 Broadcast Frames:                    0, M-cast Frames  :                    0,
 UnderSize Frames:                    0, OverSize Frames:                    0,
 Lost Frames     :                    0, Error Frames   :                    0,
 CRC Error Frames:                    0, Alignments Err :                    0,
 Tx              :
 Bytes Xmitted   :                    0, Unicast Frames :                    0,
 Broadcast Frames:                    0, M-cast Frames  :                    0,
 UnderSize Frames:                    0, OverSize Frames:                    0,
 Lost Frames     :                    -, Collided Frames:                    0,
 Error Frames    :                    0, Collisions     :                    0,
 Late collisions :                    0, Exc-Collisions :                    0

->
-> show vlan members port 1/1/10
  vlan      type        status
--------+-----------+---------------
     1    untagged      inactive
  4000    spb           inactive
  4001    spb           inactive
  4002    spb           inactive
  4003    spb           inactive

[jmaurin]

PS: I have managed to remove port 1/1/10 from autofabric, but still can't set it to bridge

Code: Select all

->  show vlan members port 1/1/10
  vlan      type        status
--------+-----------+---------------
     1    untagged      inactive

-> unp port 1/1/10 port-type bridge
ERROR: UNP cannot be enabled on Tagged port 1/1/10

[Cristek]

Thanks for this Silvio, I'm not OP but I'm currently looking into how to do these types of configs and your posts are always very helpful.
A few questions if you don't mind:

1) - Is unp port-template TEMPLATE_1 802.1x-authentication missing for this to work properly?

2) - If no name is returned from RADIUS, by simply adding pass-alternate PC-USER-2 to my previous command ensures that "well, you passed auth, but I have no idea where to classify you into, so here, go into PC-USER-2 vlan"?

3) - Do we know what is to be expected from the RADIUS server other than the 'filter-id' attribute and for what auth scenarios? Is there a document that ALE has listing all these and when are they expected? I.E. when using mac-auth we expect X and when using 802.1x we expect Y?

[silvio]

@jmaurin
after the first post I have seen the issue with the spb-vlans. This is a common problem by newbies but also by a lot of experts.
The easiest way is during the first power up of the new delivered switch:
- NO lan connection (beside the vfl ports).
- And than the both commands:

Code: Select all

auto-config-abort
auto-fabric admin-state disable remove-global-config

After that you can connect anything and start with your config.
If possible than try this again.
For making the switch like factory do delete all *.cfg - files within working and reload from working.

I am not sure about the real reason for the still seen error message. For this I need the full config.
BR Silvio

[silvio]

@Cristek
1+2) you are fully correct with your hint (my example was for MAC-Auth only):
"unp port-template TEMPLATE_1 802.1x-authentication" is necessary
(maybe this is per default enabled - but I prefere it realy to do it by myself)
The returned filter-ID has to be PC-USER-1 or PC-USER-2. Otherwise the client will fall into the default-profile QUARANT.
For the case that the client is successfull authenticated at the NPS but the filter-id is missing (or there is another one) than you can create for that case another profile f.e. PC-USER-0 (mapped to any vlan).
with the following command you can use it:
unp port-template TEMPLATE_1 pass-alternate PC-USER-0
3) This is written in the network guide (I hope )
The needed returned attributes are the same for mac and 802.1x. There are only two in my knowledge.
First the filter-id (I prefere it). And the Tunnel-Private-Group-ID (81) descriped in RFC 4675. This is the vlan ID.
But like the filter id also the Tunnel-Private-Group-ID is forwarding the client to an unp profile. Thats why you need for using this an unp with name of the vlan id.
f.e. the returned Tunnel-Private-Group-ID is 2 (for vlan 2)
Than you need to create a unp profile with name "2" and map this to vlan 2.
BR Silvio

[jmaurin]

Yep, unfortunatelly, I have some switchs that is already is production, therefore I can't clear/configure from scratch again

This is my basic setup.

Code: Select all

-> show configuration snapshot 
! Chassis:
system name "TEIAS"

! Configuration:
configuration error-file-limit 2

! Capability Manager:
! Virtual Flow Control:
! LFP: 
! Interface:
! Port_Manager: 
! Link Aggregate:
! VLAN:
vlan 1 admin-state enable
vlan 100 admin-state enable
vlan 100 name "Wireless"
vlan 115 admin-state enable
vlan 115 name "Eduroam"
vlan 130 admin-state enable
vlan 130 name "GerenciaWireless"
vlan 150 admin-state enable
vlan 150 name "Visitantes"
vlan 200 admin-state enable
vlan 200 name "Voip"
vlan 209 admin-state enable
vlan 209 name "Rede_205"
vlan 227-228 admin-state enable
vlan 227 name "Rede_158"
vlan 228 name "ThinclientAntigo"
vlan 230-232 admin-state enable
vlan 230 name "Leia"
vlan 231 name "ProAluno"
vlan 232 name "Thinclients"
vlan 239-240 admin-state enable
vlan 239 name "Gerencia"
vlan 240 name "FEARPSync"
vlan 248-249 admin-state enable
vlan 248 name "Impressoras"
vlan 249 name "IoT"
vlan 263 admin-state enable
vlan 263 name "NavPublica"
vlan 289 admin-state enable
vlan 289 name "IoT2"
vlan 1130 admin-state enable
vlan 1130 name "GWIRELESS"
spb bvlan 4000-4003 admin-state enable
spb bvlan 4000-4003 name "AutoFabric 7/14/2022 13:13:25"
vlan 130 members port 1/1/1 untagged
vlan 130 members port 1/1/3-4 untagged
vlan 130 members port 1/1/11 untagged
vlan 130 members port 1/1/14-16 untagged
vlan 130 members port 1/1/19 untagged
vlan 130 members port 1/1/21-23 untagged
vlan 209 members port 1/1/2 untagged
vlan 263 members port 1/1/5-9 untagged
vlan 289 members port 1/1/13 untagged
vlan 289 members port 1/1/17-18 untagged
vlan 1130 members port 1/1/12 untagged
vlan 1130 members port 1/1/20 untagged
vlan 100 members port 1/1/1 tagged
vlan 100 members port 1/1/3-4 tagged
vlan 100 members port 1/1/11-12 tagged
vlan 100 members port 1/1/14-16 tagged
vlan 100 members port 1/1/19-23 tagged
vlan 100 members port 1/1/25-28 tagged
vlan 115 members port 1/1/1 tagged
vlan 115 members port 1/1/3-4 tagged
vlan 115 members port 1/1/11 tagged
vlan 115 members port 1/1/14-16 tagged
vlan 115 members port 1/1/19 tagged
vlan 115 members port 1/1/21-23 tagged
vlan 115 members port 1/1/25-28 tagged
vlan 130 members port 1/1/25-28 tagged
vlan 150 members port 1/1/1 tagged
vlan 150 members port 1/1/3-4 tagged
vlan 150 members port 1/1/11 tagged
vlan 150 members port 1/1/14-16 tagged
vlan 150 members port 1/1/19 tagged
vlan 150 members port 1/1/21-23 tagged
vlan 150 members port 1/1/25-28 tagged
vlan 200 members port 1/1/1-9 tagged
vlan 200 members port 1/1/11 tagged
vlan 200 members port 1/1/13-19 tagged
vlan 200 members port 1/1/21-28 tagged
vlan 209 members port 1/1/25-28 tagged
vlan 227 members port 1/1/25-28 tagged
vlan 228 members port 1/1/25-28 tagged
vlan 230 members port 1/1/25-28 tagged
vlan 231 members port 1/1/25-28 tagged
vlan 232 members port 1/1/1 tagged
vlan 232 members port 1/1/3-4 tagged
vlan 232 members port 1/1/11-12 tagged
vlan 232 members port 1/1/14-16 tagged
vlan 232 members port 1/1/19-23 tagged
vlan 232 members port 1/1/25-28 tagged
vlan 239 members port 1/1/24-28 tagged
vlan 248 members port 1/1/25-28 tagged
vlan 249 members port 1/1/1 tagged
vlan 249 members port 1/1/3-4 tagged
vlan 249 members port 1/1/11-12 tagged
vlan 249 members port 1/1/14-16 tagged
vlan 249 members port 1/1/19-23 tagged
vlan 249 members port 1/1/25-28 tagged
vlan 263 members port 1/1/25-28 tagged
vlan 289 members port 1/1/1 tagged
vlan 289 members port 1/1/11-12 tagged
vlan 289 members port 1/1/14 tagged
vlan 289 members port 1/1/19-20 tagged
vlan 289 members port 1/1/25-28 tagged
vlan 1130 members port 1/1/28 tagged

! PVLAN:
! Spanning Tree:
spantree mode flat 
spantree vlan 1 admin-state enable 
spantree vlan 100 admin-state enable 
spantree vlan 115 admin-state enable 
spantree vlan 130 admin-state enable 
spantree vlan 150 admin-state enable 
spantree vlan 200 admin-state enable 
spantree vlan 209 admin-state enable 
spantree vlan 227 admin-state enable 
spantree vlan 228 admin-state enable 
spantree vlan 230 admin-state enable 
spantree vlan 231 admin-state enable 
spantree vlan 232 admin-state enable 
spantree vlan 239 admin-state enable 
spantree vlan 240 admin-state enable 
spantree vlan 248 admin-state enable 
spantree vlan 249 admin-state enable 
spantree vlan 263 admin-state enable 
spantree vlan 289 admin-state enable 
spantree vlan 1130 admin-state enable 
spantree vlan 4000 admin-state disable 
spantree vlan 4001 admin-state disable 
spantree vlan 4002 admin-state disable 
spantree vlan 4003 admin-state disable 

! DA-UNP:
unp dynamic-profile-configuration
unp profile "Gerencia" 
unp profile "Thinclients" 
unp profile "Gerencia" map vlan 239 
unp profile "Thinclients" map vlan 232 
unp ap-mode disable
unp port-template pt direction both aaa-profile "fearp" classification trust-tag ap-mode admin-state enable
unp port-template pt 802.1x-authentication
unp port-template pt mac-authentication
unp port-template TEMPLATE_1 direction both aaa-profile "AAA_1" default-profile "Thinclients" classification admin-state enable
unp port-template TEMPLATE_1 mac-authentication

! Bridging:
! Port Mirroring:
! Port Mapping:
! IP:
ip interface dhcp-client vlan 1 ifindex 1
ip interface dhcp-client option-60 OmniSwitch-OS6860E-P24
ip interface "v239" address 10.107.205.47 mask 255.255.255.0 vlan 239 ifindex 2

! IPv6:
! IPSec:
! IPMS:
! AAA:
aaa radius-server "fearp" host 10.107.205.130 hash-key "XXX" hash-salt "XXX" retransmit 3 timeout 2 auth-port 1812 acct-port 1813 vrf-name default 
aaa authentication default "local" 
aaa authentication console "local" 
aaa authentication ssh "local" 

aaa tacacs command-authorization disable
aaa profile "AAA_1"
aaa profile "AAA_1" device-authentication mac "fearp" 
aaa profile "AAA_1" device-authentication 802.1x "fearp" 


! NTP:
ntp server 172.16.32.1
ntp server 10.107.205.1
ntp client admin-state enable

! QOS:
! Policy Manager:
! VLAN Stacking:
! ERP:
! MVRP:
mvrp enable

! LLDP:
! UDLD:
! Server Load Balance:
! High Availability Vlan:
! Session Manager:
! Web:
! Trap Manager:
! Health Monitor:
health threshold memory 80

! System Service:
ssl cipher level all
ip domain-name fea-rp.local
ip name-server REDICTED REDICTED
ip domain-lookup
system timezone ZM3

! SNMP:
! BFD:
! IP Route Manager:
ip static-route 0.0.0.0/0 gateway 10.107.205.1 metric 1 name "rota_default"

! VRRP:
! UDP Relay:
! RIP:
! OSPF:
! IP Multicast:
! DVMRP:
! IPMR:
! RIPng:
! OSPF3:
! BGP:
! ISIS:
! Module:
! LAN Power:
lanpower slot 1/1 service start

! RDP:
! DHL:
! Ethernet-OAM:
! SAA:
! SPB-ISIS:
spb isis bvlan 4000 ect-id 1
spb isis bvlan 4001 ect-id 2
spb isis bvlan 4002 ect-id 3
spb isis bvlan 4003 ect-id 4
spb isis control-bvlan 4000
spb isis admin-state enable

! SVCMGR:
service stats disable

! LDP:
! EVB:
! APP-FINGERPRINT:
! FCOE:
! QMR: 
! OPENFLOW:
! Dynamic auto-fabric:
auto-fabric admin-state enable

! SIP Snooping:
! DHCP Server:
! DHCPv6 Relay:
! DHCPv6 Snooping:
! DHCPv6 Server:
! DHCP Message Service:
! DHCP Active Lease Service:
! Virtual Chassis Split Protection:
! DHCP Snooping:
! APP-MONITORING:
app-mon separate-config-file

! Loopback Detection:
! VM-SNOOPING:
! PPPOE-IA:
! Security:
! Zero Configuration:
! MAC Security:
! OVC:
cloud-agent discovery-interval 180

! EFM-OAM:
! ALARM-MANAGER:
! DEVICE-PROFILE:
! PTP:
! IP DHCP RELAY:
! TEST-OAM:
! LOOPBACK TEST:
! UDP6 RELAY:
! MGMT AGENT:
! MRP:
! PKGMGR:

-> 

[silvio]

I can't see the reason for the error for sure. But you should disable auto-fabric and all config that was created by auto-config and auto-fabric.
For this use the following commands:

Code: Select all

auto-fabric admin-state disable remove-global-config
mvrp disable
spantree mode per-vlan (see below)
spb isis admin-state disable 
no spb bvlan 4000-4003   

About the spantree mode check all your other switches. Which mode are running there: flat or perVlan (1x1).
This should be the same at all switches.

Also I assume you don't need an ip interface dhcp-client. Delete it with "no ip interface dhcp-client"
I think this is the reason for the error message.

BR Silvio