Access Control ERS4524GT / SNAS 4050

[yogo]

I have a problem with my implementation of certificate based Network Access Control. I use a SNAS 4050 as Radius Server and an ERS4524GT Switch for Network Access. As Clients I've got a PC with Win XP SP3 and a Win 7 Laptop. The Authentication generally works. I see in a trace at the Clients at the end the EAP success packet and the log file from the SNAS 4050 says "radius authentication success". After the Authentication succeeded the port removes from the guest VLAN, but doesn't switch to the "Authentication VLAN".

At the SNAS 4050 I've the following configuration to do that:

- AAA -> Authentication -> CERT -> CA Certificates
   - Certificate : CA Cert
   - Group Name : WiredEAPCert

- AAA -> Groups -> RADIUS Attributes -> WiredEAPCert
   - Vendor ID : 0    Attribute ID : 64    Attribute Value 13
   - Vendor ID : 0    Attribute ID : 65    Attribute Value 6
   - Vendor ID : 0    Attribute ID : 81    Attribute Value 203

The CA Cert is allocate to the group "WiredEAPCert" and this group includes the RADIUS Attributes. The Value 203 is the VLAN which the port should change to. At the ERS4524GT the entry "Allow Use of RADIUS Assigned VLANs" is enabled. I've spent already days to solve this problem but don't get it.

I should tell you that the whole thing is a new topic for me, so maybe there is only a stupid/simple fault I've done. If you need more information, please let me know. Hope somebody can help me and thank you in anticipation.

[Jon Hurtt]

Have you tried referencing this guide?

Authentication, Authorization and Accounting (AAA) for ERS and ES Technical Configuration Guide
http://support.avaya.com/css/P8/documents/100123717

Also is this working on any other switches? or is this your first attempt at setting up 802.1X Authentication.

[Flintstone]

Hi yogo,

We use something similar called Ignition which I believe does the same thing?

We use the Radius 'dynamic' Vlan feature so that when the specified MAC address is seen on the specified port then the requested Vlan is dynamically configured. 

To achieve this the specified port has to be setup for 'untagPvidOnly' and then add the requested Vlan to that port, so you have the original Vlan as well as the requested Vlan on the same port.  When the specified MAC is then seen and authenticated, the Radius server then configures the port to the requested Vlan.

CheerZ and good luck

[yogo]

@Jon Hurtt

It's my fist attempt at setting up 802.1X and at the moment I am only testing. I've got no other switch where this is working, only an ERS5530-24TFD with the same problem.

The SNAS 4050 is no real UNIX, it's a Nortel proprietary operating system. Therefore the guide you've linked won't help me a lot. But I've used a lot of other Nortel/Avaya Guides (e.g. ERS 45xx Security Config Guide / NSNAS Solution Guide / NSNA Technical Configuration). Maybe I will try next week setting up a RADIUS Server with FreeRadius, if I get no solution until then.

@ Flintstone

As far as I know Ignition is the replacement product for the SNAS 4050, which had End of Sale in 2010. One problem with the MAC based solution is that you have to manage the MAC adresses by hand (?). But in my opinion the bigger problem is, that you don't have real security. These days it's no problem to change a MAC of a device, keyword MAC-Spoofing. That's the reason why I prefer a certificate based solution.

edit: i forget - I try this with both VLANs on the specified port and 'untagPvidOnly', but now after the succesful authentication both VLANs will remove from the port

Thank you for your help again!

[Flintstone]

Hi yogo,

We also use 802.1x via AD to provide more security.

CheerZ

[Jon Hurtt]

yogo... see if this helps at all...