• October 17, 2018, 07:40:38 PM
Welcome, Guest. Please login or register. Registration is free.
Did you miss your activation email?

Author Topic: Non-EAP Clients wit NAC Appliance - Problem with VLANs association between 2 ERS  (Read 1536 times)

0 Members and 1 Guest are viewing this topic.

Offline mixthoor

  • Full Member
  • ***
  • Posts: 53
Hallo,

I'm new with Avaya and I have the litte problem with Port Authentication and non-EAP Hosts. Sorry for italicizied forn, but I am not allowed to use the "code" tag, I see me error: Sorry, you are not allowed to post external links.Just great!

- It works with the switch 1 (3500) which is connected via router into NAC enviroment. In NAC Manager I see my clients (1x VoIP Phone, 1xWindows7, 1xVM-Debian8). The switch give me the right VLANs, depending of the NAC's policies:
   MAC Address    Vid   Source         MAC Address    Vid   Source
----------------- ---- --------     ----------------- ---- --------
08-00-27-C3-71-61  100 Port:15      44-AD-D9-BC-C5-1C  100 Port:15
C4-7D-46-16-30-4C  100 Port:15      C4-7D-46-16-30-4C  101 Port:15
08-00-27-C3-71-61  102 Port:15


100 - VOICE (Cisco VoIP Phone)
101 - DATA1 (Windows)
102 - DATA2 (virtual Linux Debian)

sh eapol multihost non-eap-mac status
Port Client MAC Address State                                     Vid  Pri
---- ------------------ ----------------------------------------- ---- ---
15   08:00:27:C3:71:61  Authenticated By RADIUS                   102  0
15   44:AD:D9:BC:C5:1C  Authenticated By RADIUS                   100  0
15   C4:7D:46:16:30:4C  Authenticated By RADIUS                   101  0


SW1-DAWID#sh vlan interface vids 15
Port VLAN VLAN Name         VLAN VLAN Name         VLAN VLAN Name
---- ---- ----------------  ---- ----------------  ---- ----------------
15   100  VOICE             101  LAN-101           102  LAN-102
     999  GAST
---- ---- ----------------  ---- ----------------  ---- ----------------


****************************************

It doesn't work correctly on the switch 2, 4800, via UPLIK Port between ERS 3500 and ERS 4800. On NAC Manager I see my clients from SW2, but the Switch doesn't associate the VLANs at all. Why?

Here is the config of my Taggeg Port (MLT) between switches:

SW 1 (3500)
VLANs:
SW1-DAWID#sh vlan
Id   Name                 Type     Protocol         PID     Active IVL/SVL Mgmt
---- -------------------- -------- ---------------- ------- ------ ------- ----
1    DEFAULT              Port     None             0x0000  Yes    IVL     No
        Port Members: NONE
100  VOICE                Port     None             0x0000  Yes    IVL     No
        Port Members: 15,23-24
101  LAN-101              Port     None             0x0000  Yes    IVL     No
        Port Members: 15,23-24
102  LAN-102              Port     None             0x0000  Yes    IVL     No
        Port Members: 15,23-24
776  MANAGEMENT           Port     None             0x0000  Yes    IVL     Yes
        Port Members: 1,23-24
999  GAST                 Port     None             0x0000  Yes    IVL     No
        Port Members: 2-26



Link between ERS Switches:
SW1-DAWID#sh interfaces link-up 24
              Status                    Auto                        Flow
Port Trunk Admin   Oper Link LinkTrap Negotiation  Speed   Duplex Control
---- ----- ------- ---- ---- -------- ----------- -------- ------ -------
24   1     Enable  Up   Up   Enabled  Enabled     1000Mbps Full   Asymm



Aggregated link between both ERS switches:
SW1-DAWID#sh mlt 1
Id Name             Members                Bpdu   Mode           Status  Type
-- ---------------- ---------------------- ------ -------------- ------- ------
1  UPLINK           23-24                  All    Advance        Enabled Trunk



Uplink:
SW1-DAWID#sh vlan interface vids 24
Port VLAN VLAN Name         VLAN VLAN Name         VLAN VLAN Name
---- ---- ----------------  ---- ----------------  ---- ----------------
24   100  VOICE             101  LAN-101           102  LAN-102
     776  MANAGEMENT        999  GAST
---- ---- ----------------  ---- ----------------  ---- ----------------



+ more details:
SW1-DAWID#sh vlan interface verbose 24
     Filter Filter
     Untag. Unreg.
Port Frames Frames PVID VLAN VLAN Name        PRI Tagging       Port Name
---- ------ ------ ---- ---- ---------------- --- ------------- --------------
24   No     Yes    999  100  VOICE            0   TagAll        Port 24
                        101  LAN-101
                        102  LAN-102
                        776  MANAGEMENT
                        999  GAST
---- ------ ------ ---- ---- ---------------- --- ------------- --------------



********


SW2 (ERS 4800):
Non-EAP Cients and the MAC Adresses
   MAC Address    Vid   Type       Source
----------------- ---- ------- --------------
08-00-27-C3-71-61  100 Dynamic Port:15
44-AD-D9-BC-C5-1C  100 Dynamic Port:15
C4-7D-46-16-30-4C  100 Dynamic Port:15



VLANs:
SW2-DAWID#sh vlan
Id   Name                 Type     Protocol         PID     Active IVL/SVL Mgmt
---- -------------------- -------- ---------------- ------- ------ ------- ----
1    DEFAULT              Port     None             0x0000  Yes    IVL     No
        Port Members: NONE
100  VOICE                Voice    None             0x0000  Yes    IVL     No
        Port Members: 15,23-24
101  LAN-101              Port     None             0x0000  Yes    IVL     No
        Port Members: 21,23-24
102  LAN-102              Port     None             0x0000  Yes    IVL     No
        Port Members: 23-24
776  MANAGEMENT           Port     None             0x0000  Yes    IVL     Yes
        Port Members: 1,23-24
999  GAST                 Port     None             0x0000  Yes    IVL     No
        Port Members: 2-20,23-24
Total VLANs: 6



Link between ERS Switches:
SW2-DAWID#sh interfaces link-up 24
              Status                    Auto                        Flow
Port Trunk Admin   Oper Link LinkTrap Negotiation  Speed   Duplex Control
---- ----- ------- ---- ---- -------- ----------- -------- ------ -------
24   1     Enable  Up   Up   Enabled  Enabled     1000Mbps Full   Asymm



Aggregated link between both ERS switches:

SW2-DAWID#sh mlt 1
Id Name             Members                Bpdu   Mode           Status  Type
-- ---------------- ---------------------- ------ -------------- ------- ------
1  UPLINK           23-24                  All    Advance        Enabled Trunk


Uplink:
SW2-DAWID#sh vlan interface vids 24
Port VLAN VLAN Name         VLAN VLAN Name         VLAN VLAN Name
---- ---- ----------------  ---- ----------------  ---- ----------------
24   100  VOICE             101  LAN-101           102  LAN-102
     776  MANAGEMENT        999  GAST
---- ---- ----------------  ---- ----------------  ---- ----------------



+ more details:
SW2-DAWID#sh vlan interface verbose 24
     Filter Filter
     Untag. Unreg.
Port Frames Frames PVID VLAN VLAN Name        PRI Tagging       Port Name
---- ------ ------ ---- ---- ---------------- --- ------------- --------------
24   No     Yes    1    100  VOICE            0   TagAll        Port 24
                        101  LAN-101
                        102  LAN-102
                        776  MANAGEMENT
                        999  GAST
---- ------ ------ ---- ---- ---------------- --- ------------- --------------



BTW. Soft:
- NAC Appliance - NetSight Suite v6.3.0.168
- ERS 4850GTS-PWR+ | FW:5.8.0.1
- ERS 3524GT-PWR+ | FW:5.3.0.6



*****************

- This is a pilot enviroment.
- I can uprgade the OS on ERS 4800
- I will try to connect only ERS4800 directly to NAC network via Router and NOT via SW1.
- I can provide you more details if you need.
« Last Edit: February 10, 2016, 05:09:51 PM by mixthoor »
ACE-Fx I #00531


Offline mixthoor

  • Full Member
  • ***
  • Posts: 53
OK, the problem is on the 2nd SW (4800).
I've updated the FW and reinitionisied the configuration. I see my nonEAP Client in NAC Manager and the switch shows me the NonEAP Clients too:
SW2-4800(config)#sh eapol multihost non-eap-mac status
Port Client MAC Address State                                     Vid  Pri
---- ------------------ ----------------------------------------- ---- ---
15   44:AD:D9:BC:C5:1C  Authenticated By RADIUS                   N/A  N/A
15   C4:7D:46:16:30:4C  Authenticated By RADIUS                   N/A  N/A


but without correct VLANs, argh!
ACE-Fx I #00531

Offline mixthoor

  • Full Member
  • ***
  • Posts: 53
OK, it works:
eapol multihost multivlan enable

and then I see:
SW2-4800(config)#sh eapol multihost non-eap-mac status
Port Client MAC Address State                                     Vid  Pri
---- ------------------ ----------------------------------------- ---- ---
15   44:AD:D9:BC:C5:1C  Authenticated By RADIUS                   100  0
15   C4:7D:46:16:30:4C  Authenticated By RADIUS                   101  0


--------

The solution was: FW Upgrade and new conig of RADIUS connection, SNMP connection and EAPoL
ACE-Fx I #00531

Offline Řyvind Nikolaisen

  • Full Member
  • ***
  • Posts: 52
Look how easy it was - you solved it all yourself!  ;)

Joking aside, there are always a number of gotcha's using 802.1x or NAC (if you want to punish yourself). Latest software is, in general, a good thing to use as it usually contains a number of EAP-related bugfixes. on the 5.8.1 on the ERS4800-series, you'll find that after a stack reboot or power outage one or more units in the stack tends to put the clients in your fail-open-vlan (usually vlan 1). 5.8.2 introduces some problems with auto-logon clients that move forward before authentication has finished (authentication takes longer on 5.8.2), thus missing their logon scripts.

5.9.2 seems to have solved the problems with stacks, although it takes a bit of time before all clients are moved to the correct vlans. We are experiencing some strange TACACS+ errors, but have a case with Avaya to solve this. Given that these issues will be solved, 5.9.2 will be the new golden release for our network and some 250+ stacks.

Brgds
Řyvind
Best regards,

Řyvind Nikolaisen
Senior Network Architect
NetNordic Communications AS
Avaya ACE Fx #204