25
Mar

help – networking

   Posted by: cristina_crow   in technical

Add Comment

pentru ca am intrat in criza de timp si, ori nu sunt eu prietena cu Google, ori nu am cautat suficient si cu destula atentie, dar nu pot rezolva problema de mai jos, therefore I would appreciate any help :)

…luat cu copy-paste din mailurile trimise pe rlug-offtopic

*** singura “descoperire” so far este modul de lucru al switchului in 2 feluri: campus-mode si isp-mode; campus-mode, dupa autentificare (pe un vlan – temporar) arunca userul intr-un alt vlan – permanent — eu nu am gasit cum anume se face asta si cum se trece/daca se poate trece _cumva_ intre campus-mode si isp-mode

————–

Salut

De cateva zile ma chinui sa fac un scenariu de 802.1x – MultiAuth unicast. Clientul
e o aplicatie proprietara care genereaza trafic EAPoL – 802.1x, authenticatorul este Summit48si ExtremeWare Version 7.3.0.49 [non-ssh], iar serverul de autentificare este un ACS 4.1.

1.
Aplicatia-client este cea pe care o testez ca face ok generarea de trafic EAP; ce vine peste EAP e irelevant – problema se pune atunci in ACS;
2. Switchul – Summit a fost ales pentru ca stie sa faca 802.1x (netlogin) si pe porturi taggate (trunk) – ideea este ca traficul pe care eu il trimit sa fie incapsulat EAP, dar si cu tag de vlan – asta e testul;
3. ACS-ul are un set de useri si politici de acces (care sunt configurate si pe client).

Problema: autentificarea da cu Fail, Summit-ul imi inchide porturile si raporteaza Auth failed, desi ACS-ul inregistreaza in loguri ca userii au fost autentificati.

Nu’s Summit guru, si nici nu am cautat pana mi-au iesit peri albi pe Google; oricum, informatiile referitoare la switch-ul asta sunt destul de sumare, chiar si in UserGuide-ul lor :(

Multumesc,
Cristina

—————————————————————————
Config Summit:

configure sys-health-check alarm-level Log
create vlan “vlan10″
create vlan “vlan20″
create vlan “st10″
create vlan “st6″
create vlan “st7″
create vlan “st8″
create vlan “st9″

#
# Route Map Configuration.
#

#
# Config information for VLAN Default.
configure vlan “Default” tag 1    # VLAN-ID=0×1  Global Tag 1
configure stpd s0 add vlan “Default”
configure vlan “Default” ipaddress 60.60.60.3 255.255.255.0
configure vlan “Default” add port 1 untagged
configure vlan “Default” add port 2 untagged
configure vlan “Default” add port 3 untagged
configure vlan “Default” add port 4 untagged
configure vlan “Default” add port 5 untagged
configure vlan “Default” add port 49 untagged
configure vlan “Default” add port 50 untagged
#
# Config information for VLAN vlan10.
configure vlan “vlan10″ tag 10    # VLAN-ID=0xa  Global Tag 4
configure vlan “vlan10″ add port 17 untagged
configure vlan “vlan10″ add port 21 tagged
configure vlan “vlan10″ add port 22 tagged
configure vlan “vlan10″ add port 23 tagged
configure vlan “vlan10″ add port 24 tagged
configure vlan “vlan10″ add port 25 tagged
configure vlan “vlan10″ add port 26 tagged
configure vlan “vlan10″ add port 27 tagged
configure vlan “vlan10″ add port 28 tagged
configure vlan “vlan10″ add port 29 tagged
#
# Config information for VLAN vlan20.
configure vlan “vlan20″ tag 20    # VLAN-ID=0×14  Global Tag 5
configure vlan “vlan20″ add port 18 untagged
configure vlan “vlan20″ add port 30 tagged
configure vlan “vlan20″ add port 31 tagged
configure vlan “vlan20″ add port 32 tagged
configure vlan “vlan20″ add port 33 tagged
configure vlan “vlan20″ add port 34 tagged
configure vlan “vlan20″ add port 35 tagged
configure vlan “vlan20″ add port 36 tagged
configure vlan “vlan20″ add port 37 tagged
configure vlan “vlan20″ add port 38 tagged
#
# Config information for VLAN st10.
configure vlan “st10″ tag 510    # VLAN-ID=0x1fe  Global Tag 6
configure vlan “st10″ add port 16 untagged
configure vlan “st10″ add port 5 tagged
configure vlan “st10″ add port 6 tagged
configure vlan “st10″ add port 7 tagged
configure vlan “st10″ add port 8 tagged
configure vlan “st10″ add port 9 tagged
configure vlan “st10″ add port 10 tagged
configure vlan “st10″ add port 11 tagged
#
# Config information for VLAN st6.
configure vlan “st6″ tag 506    # VLAN-ID=0x1fa  Global Tag 34
configure vlan “st6″ add port 12 untagged
configure vlan “st6″ add port 5 tagged
configure vlan “st6″ add port 6 tagged
configure vlan “st6″ add port 7 tagged
configure vlan “st6″ add port 8 tagged
configure vlan “st6″ add port 9 tagged
configure vlan “st6″ add port 10 tagged
configure vlan “st6″ add port 11 tagged
#
# Config information for VLAN st7.
configure vlan “st7″ tag 507    # VLAN-ID=0x1fb  Global Tag 35
configure vlan “st7″ add port 13 untagged
configure vlan “st7″ add port 5 tagged
configure vlan “st7″ add port 6 tagged
configure vlan “st7″ add port 7 tagged
configure vlan “st7″ add port 8 tagged
configure vlan “st7″ add port 9 tagged
configure vlan “st7″ add port 10 tagged
configure vlan “st7″ add port 11 tagged
#
# Config information for VLAN st8.
configure vlan “st8″ tag 508    # VLAN-ID=0x1fc  Global Tag 36
configure vlan “st8″ add port 14 untagged
configure vlan “st8″ add port 5 tagged
configure vlan “st8″ add port 6 tagged
configure vlan “st8″ add port 7 tagged
configure vlan “st8″ add port 8 tagged
configure vlan “st8″ add port 9 tagged
configure vlan “st8″ add port 10 tagged
configure vlan “st8″ add port 11 tagged
#
# Config information for VLAN st9.
configure vlan “st9″ tag 509    # VLAN-ID=0x1fd  Global Tag 37
configure vlan “st9″ add port 15 untagged
configure vlan “st9″ add port 5 tagged
configure vlan “st9″ add port 6 tagged
configure vlan “st9″ add port 7 tagged
configure vlan “st9″ add port 8 tagged
configure vlan “st9″ add port 9 tagged
configure vlan “st9″ add port 10 tagged
configure vlan “st9″ add port 11 tagged
disable telnet
enable web http
disable web https
# SNMP Configuration

enable cli-prompt-number

# Load Sharing Configuration
configure lacp keep-alive 10

# Protocol definitions

# Spanning tree information

# GVRP configuration

# MAC FDB configuration and static entries

configure ipfdb agingtime 0

# — IP Interface[0] = “Default”

# Global IP settings.
#
# IP ARP Configuration
configure iparp max-entries 8192
#
# IP Route Configuration
configure iproute add default 60.60.60.1 1
# Multicast configuration
disable igmp snooping
enable igmp snooping vlan “Default”
enable igmp snooping vlan “MacVlanDiscover”
enable igmp snooping vlan “vlan10″
enable igmp snooping vlan “vlan20″
enable igmp snooping vlan “st10″
enable igmp snooping vlan “st6″
enable igmp snooping vlan “st7″
enable igmp snooping vlan “st8″
enable igmp snooping vlan “st9″
# RIP interface configuration
# RIP global parameter configuration

enable radius
configure radius primary shared-secret encrypted “TMH”
configure radius timeout 30
configure radius primary server 60.60.60.1 1645 client-ip 60.60.60.3
configure radius primary server 60.60.60.1 timeout 30

# Network Login Configuration
enable netlogin port 5 vlan st6
enable netlogin port 6 vlan st6
enable netlogin port 7 vlan st6
enable netlogin port 8 vlan st6
enable netlogin port 9 vlan st6
enable netlogin port 10 vlan st6
enable netlogin port 11 vlan st6
enable netlogin port 5 vlan st9
enable netlogin port 6 vlan st9
enable netlogin port 7 vlan st9
enable netlogin port 8 vlan st9
enable netlogin port 9 vlan st9
enable netlogin port 10 vlan st9
enable netlogin port 11 vlan st9
enable netlogin port 5 vlan st10
enable netlogin port 6 vlan st10
enable netlogin port 7 vlan st10
enable netlogin port 8 vlan st10
enable netlogin port 9 vlan st10
enable netlogin port 10 vlan st10
enable netlogin port 11 vlan st10
enable netlogin Session-Refresh 1

——————————————————————-
Erori pe care le vad pe Summit cand rulez testul:

03/25/2009 00:39:10.56 <Info:SYST> Authentication failed for DOT1X user fast-nac Mac 00:3d:ca:78:01:01 Port 9
03/25/2009
00:39:11.03 <Info:USER> Network Login 802.1x User fast-nac logged
in (0.0.0.0) Mac 00:3d:ca:78:01:05 Port 9 Vlan st9
03/25/2009 00:39:11.03 <Info:USER> Network Login 802.1x User fast-nac Logged into VLAN st9
03/25/2009
00:39:11.03 <Info:SYST> Network Login failed for CAMPUS-MODE user
fast-nac mac 00:3d:ca:78:01:05 (Dest. vlan st9) : port 9 is a tagged
port for Vlan st9
03/25/2009 00:39:11.03 <Info:SYST> Authentication failed for DOT1X user fast-nac Mac 00:3d:ca:78:01:05 Port 9
03/25/2009
00:39:11.06 <Info:USER> Network Login 802.1x User fast-nac logged
in (0.0.0.0) Mac 00:3d:ca:78:01:04 Port 9 Vlan st9
03/25/2009 00:39:11.06 <Info:USER> Network Login 802.1x User fast-nac Logged into VLAN st9
03/25/2009
00:39:11.06 <Info:SYST> Network Login failed for CAMPUS-MODE user
fast-nac mac 00:3d:ca:78:01:04 (Dest. vlan st9) : port 9 is a tagged
port for Vlan st9
03/25/2009 00:39:11.06 <Info:SYST> Authentication failed for DOT1X user fast-nac Mac 00:3d:ca:78:01:04 Port 9
03/25/2009
00:39:11.18 <Info:USER> Network Login 802.1x User fast-nac logged
in (0.0.0.0) Mac 00:3d:ca:78:01:03 Port 9 Vlan st9
03/25/2009 00:39:11.18 <Info:USER> Network Login 802.1x User fast-nac Logged into VLAN st9
03/25/2009
00:39:11.19 <Info:SYST> Network Login failed for CAMPUS-MODE user
fast-nac mac 00:3d:ca:78:01:03 (Dest. vlan st9) : port 9 is a tagged
port for Vlan st9
03/25/2009 00:39:11.19 <Info:SYST> Authentication failed for DOT1X user fast-nac Mac 00:3d:ca:78:01:03 Port 9

————————————————————–

ACS imi da pe toti userii folositi in acest test authentication successful.

—————————————————————-

Tags: ,

This entry was posted on Wednesday, March 25th, 2009 at 3:35 pm and is filed under technical. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

9 comments so far

sin
 1 

erase startup-config
reload

go home

March 25th, 2009 at 6:32 pm
cristina_crow
 2 

@sin: stiam eu ca intotdeauna imi vei da cele mai bune solutii ;) )

March 25th, 2009 at 6:36 pm
@Dexter
 3 

Foarte multe echipamente care pot vorbi cu un RADIUS (si, in mod particular, cutiile IEEE 802.1X-aware), asteapta mai mult decat “DA” sau “NU” de la server-ul in cauza (Access-Accept/Access-Reject in terminologia specifica).

Vezi ce atribute asteapta Summit-ul de la RADIUS si verifica ca intr-adevar le primeste. Eu am avut pe mana si Nortel, si HP, si Cisco si multe altele si toate au fost complet neiertatoare in cazul primirii unui set de atribute incomplet/eronat, *chiar daca* decizia era “Access-Accept”.

Hope this helps,
@Dexter

March 25th, 2009 at 6:53 pm
cristina_crow
 4 

@Dexter: cred ca vrea vlan-ul destinatie (care ii zice lui, venind de la ACS) – in ce vlan il arunca pe acel user:
VSA: Extreme-Netlogin-VLAN
dar vlan-ul asta tre sa existe si sa fie configurat corect pe switch

March 25th, 2009 at 6:55 pm
@Dexter
 5 

Nu neaparat, de exemplu la HP-uri puteam sa-i dictez din RADIUS oricare VLAN pe care switch-ul l-a invatat prin GVRP (deci dinamic, neconfigurat in prealabil). Nu stiu daca asta se aplica si la cutia ta, dar poate te ajuta.

@Dexter

March 25th, 2009 at 8:40 pm
cristina_crow
 6 

deci: stiu unde greseam si stiu ce trebuie sa-i fac:D
1. pe ACS trebuie definit un Vendor ID; poti defini maxim 9, si asta se face cu CSutil;
2. tot pe ACS, pentru acel Vendor, trebuie matchuite niste VSA-uri cu ID-urile pe care le “intelege” Summit, anume, pentru ce ma interesa pe mine, Extreme-Netlogin-VLAN trebuie sa aiba ID-ul 203;
3. tot pe ACS trebuie enablate pentru user/group acele VSA-uri care ma intereseaza;
4. tot pe ACS, la nivel de user (sau group, dupa caz) trebuie enablat acel VSA care ma intereseaza si trebuie sa-i dau si valoarea pe care vreau sa mi-o trimita ACS-ul catre Summit, in cazul autentificarii cu succes a userului respectiv: la mine: dau valoarea st6 pentru userul MD5, la VSA-ul Extreme-Netlogin-VLAN.

Cum fac toate cele de mai sus cu CSutil…vom vedea :P

March 25th, 2009 at 8:58 pm
@Dexter
 7 

Suna bine (makes sense) ce ai scris mai sus si cred si eu ca tocmai ai gasit solutia :-)
Sper sa-ti iasa (si sa apuci si sa dormi azi :D )

@Dexter

March 25th, 2009 at 9:05 pm
cristina_crow
 8 

cool, thanks; oricum, acs-ul pare un pic cam pretentios…si nu prea vrea sa mai raspunda _deloc_ la acces-request-urile summit-ului (dupa schimbarile efectuate:P)

March 25th, 2009 at 9:11 pm
@Dexter
 9 

Stiu ca o sa arunci cu ceva dupa mine, dar iti recomand (calduros) FreeRADIUS :-) Macar pentru teste, pana te prinzi cum functioneaza sau cum ar trebui sa functioneaze.
A fost singura masinarie de tip server la care nu am avut nevoie niciodata de tcpdump pentru ca spune singur tot ce am nevoie sa aflu :D

@Dexter

March 25th, 2009 at 9:16 pm

Leave a reply

Name
Mail (will not be published)
URI
Comment

Back to top