ERS5520-48T-PWR 802.1x issue

Collapse
X
Collapse
 
  • Page of 1
  • Filter
  • Time
  • Show
Clear All
new posts
Previous template Next
  • duran87
    Aspiring Member
    • Oct 2015
    • 2
    #1

    ERS5520-48T-PWR 802.1x issue

    Hello,

    i am trying to configure 802.1x and Mac Authentication on a switch port.
    First i have upgraded the firmware version to v6.3.5.025 to fix that : wi01208586

    So my goal is to have a Avaya voip phone (Mac-auth) and a laptop behind the phone (802.1x or Mac-Auth).

    When i plug the phone, ADAC detect it with LLDP and tag the port on the voice vlan (192).
    When i plug a laptop behind the phone, if the supplicant has been configured then 802.1x works, if there is no supplicant then mac auth works.

    My issue are the following:

    First: I have configured machine authentication and user authentication on the laptop, so when i start the laptop first i have the machine auth and radius return the vlan 211, then the user open his session and for user authentication radius return vlan 2192. But the switch don't care about the vlan 2192 and keep the port in the vlan 211.

    The second issue:
    When the laptop is connected behind the phone (802.1x) and when we unplug and plug it, the ERS switch fall back directly to MAC authentication and after a while i have a new 802.1x auth.

    Here my switch config:

    vlan ports 1/6 tagging unTagPvidOnly filter-unregistered-frames disable
    ! Vlan 192 is the Voice VLAN configured by ADAC
    vlan members 211 1/6
    vlan members 2192 1/6
    eapol multihost port 1/6 enable eap-mac-max 8 allow-non-eap-enable non-eap-mac-
    max 8 radius-non-eap-enable non-eap-phone-enable use-radius-assigned-vlan non-e
    ap-use-radius-assigned-vlan eap-packet-mode unicast adac-non-eap-enable
    eapol port 1/6 status auto traffic-control in re-authentication enable re-authe
    ntication-period 600
    eapol port 1/6 radius-dynamic-server enable
    lldp port 1/6 vendor-specific avaya dot1q-framing tagged
    adac port 1/6 tagged-frames-pvid 192
    adac port 1/6 tagged-frames-tagging tag-all
    adac port 1/6 enable
    spanning-tree port 1/6 learning fast

    Regards
    Fabrice
    Tags: None
  • duran87
    Aspiring Member
    • Oct 2015
    • 2
    #2
    Hello,

    So i changed the switch port configuration to have this now:

    radius server host 172.20.135.2 acct-enable
    ! radius server host key ********

    radius dynamic-server client 172.20.135.2
    ! radius dynamic-server client 172.20.135.2 secret ****************
    ! radius dynamic-server client 172.20.135.2 enable
    radius dynamic-server client 172.20.135.2 process-change-of-auth-requests
    radius dynamic-server client 172.20.135.2 process-disconnect-requests


    eapol multihost allow-non-eap-enable
    eapol multihost radius-non-eap-enable
    eapol multihost non-eap-phone-enable
    eapol multihost use-radius-assigned-vlan
    eapol multihost non-eap-use-radius-assigned-vlan
    eapol multihost eap-packet-mode unicast
    eapol multihost use-most-recent-radius-vlan
    eapol multihost non-eap-reauthentication-enable
    eapol multihost adac-non-eap-enable

    interface FastEthernet ALL
    vlan ports 1/6 tagging tagAll
    eapol multihost port 1/6 enable eap-mac-max 8 allow-non-eap-enable non-eap-mac-max 8 radius-non-eap-enable non-eap-phone-enable use-radius-assigned-vlan use-most-recent-radius-vlan non-eap-use-radius-assigned-vlan eap-packet-mode unicast
    eapol port 1/6 status auto re-authentication enable re-authentication-period 600
    eapol port 1/6 radius-dynamic-server enable
    lldp port 1/6 vendor-specific avaya dot1q-framing tagged
    no adac detection port 1/6 mac
    adac port 1/6 tagged-frames-pvid 192
    adac port 1/6 tagged-frames-tagging tag-all
    adac port 1/6 enable
    spanning-tree port 1/6 learning fast

    Now my first issue is gone (Vlan change between machine auth and user auth).

    But the second issue is still there (Disconnect the device behind the phone and have mac-auth instead of PEAP/MS-CHAPv2).

    Now i am facing some other issue:
    • When i plug the phone alone in the switch port, it works (go in voice vlan). If i plug a laptop behind the phone, it works (the phone stay in voice vlan and the laptop go in the vlan assigned by radius), but when i disconnect the phone from the switch port and replug it it never come back to the voice vlan but follow the laptop vlan. So imagine i have a power outage then all my phone will not work until i remove the laptop and restart the phone.

    • It look like that radius-dynamic-server didn't work anymore (it looks like a regression in the firmware), i kept exactly the same configuration on the switch and i send exactly the same COA (Disconnect Request).
    Here the packet:
    'Event-Timestamp' => 1445972049,
    'Calling-Station-Id' => '98-90-96-A4-1C-0F',
    'NAS-IP-Address' => '172.26.220.30'


    Does anyone have the same issue on the Avaya switch ?

    Btw i am not able to replicate all these issues on a 3524GT-PWR+ (v5.2.2.003) switch and it works as expected (here the configuration).

    radius server host 172.20.135.2 acct-enable
    ! radius server host key ********
    ! radius server host key ******** used-by eapol
    ! radius server host key ******** used-by non-eapol
    radius dynamic-server client 172.20.135.2
    ! radius dynamic-server client 172.20.135.2 secret ****************
    ! radius dynamic-server client 172.20.135.2 enable
    radius dynamic-server client 172.20.135.2 process-change-of-auth-requests
    radius dynamic-server client 172.20.135.2 process-disconnect-requests

    eapol multihost allow-non-eap-enable
    eapol multihost radius-non-eap-enable
    eapol multihost non-eap-phone-enable
    eapol multihost use-radius-assigned-vlan
    eapol multihost non-eap-use-radius-assigned-vlan
    eapol multihost eap-packet-mode unicast
    eapol multihost non-eap-reauthentication-enable
    eapol multihost adac-non-eap-enable

    interface FastEthernet ALL
    vlan ports 7 tagging tagAll
    eapol multihost port 7 enable eap-mac-max 8 allow-non-eap-enable non-eap-mac-max 8 radius-non-eap-enable auto-non-eap-mhsa-enable use-radius-assigned-vlan non-eap-use-radius-assigned-vlan eap-packet-mode unicast adac-non-eap-enable
    eapol port 7 status auto traffic-control in re-authentication enable re-authentication-period 60
    eapol port 7 radius-dynamic-server enable
    lldp port 7 vendor-specific avaya dot1q-framing tagged
    no adac detection port 7 mac
    adac port 7 tagged-frames-pvid 3
    adac port 7 tagged-frames-tagging tag-all
    adac port 7 enable
    spanning-tree port 7 learning fast

    For me it look like bugs in the firmware since it works perfectly on the ERS3500 switch.

    Any help will be appreciated.

    Regards
    Fabrice

    Comment

    • bdholmes
      Hot Shot
      • Aug 2014
      • 16
      #3
      We use multilhost/multivlan mode here but what does the switch show for LLDP after you re-plug the phone?
      Brian Holmes

      Network Architect
      Fiat Chrysler Automobiles

      Comment

      Previous template Next
      Loading