Ethernet Switches & Routers

Reply
Occasional Contributor
Posts: 10
Registered: ‎09-16-2016
Accepted Solution

Switch not allowing devices onto dynamically assigned VLAN but gets Access-Accept

[ Edited ]

I have an ICX6430 and I got the switch to do 802.1x with mac-address authentication. My device is sending it an access-accept with the right attributes, but it doesn't seem to be permitting the device onto the network. I used the mac table to verify this but I am wondering if there is another way to check the dynamically assigned ports.

 

I've tried string 802 and decimal 6 for the tunnel-medium attribute and neither work.

 

Here is my tcpdump showing the communication:

# tcpdump -vvv -i igb3 host 192.168.5.11
tcpdump: listening on igb3, link-type EN10MB (Ethernet), capture size 65535 bytes
15:36:41.549283 IP (tos 0x0, ttl 64, id 3435, offset 0, flags [none], proto UDP (17), length 149)
    192.168.5.11.1060 > 192.168.5.1.radius: [udp sum ok] RADIUS, length: 121
	Access Request (1), id: 0x0b, Authenticator: 3702170c1fe7fde45afbb8ce4818ff02
	  Username Attribute (1), length: 14, Value: 288023d4d13d
	    0x0000:  3238 3830 3233 6434 6431 3364
	  Password Attribute (2), length: 18, Value:
	    0x0000:  24ef 755f e3d8 2eb2 5153 94bf b99d 4761
	  Service Type Attribute (6), length: 6, Value: Framed
	    0x0000:  0000 0002
	  Framed MTU Attribute (12), length: 6, Value: 1500
	    0x0000:  0000 05dc
	  NAS IP Address Attribute (4), length: 6, Value: 192.168.5.11
	    0x0000:  c0a8 050b
	  NAS Port Type Attribute (61), length: 6, Value: Ethernet
	    0x0000:  0000 000f
	  NAS Port Attribute (5), length: 6, Value: 10
	    0x0000:  0000 000a
	  NAS ID Attribute (32), length: 20, Value: ICX6430-24P Switch
	    0x0000:  4943 5836 3433 302d 3234 5020 5377 6974
	    0x0010:  6368
	  Calling Station Attribute (31), length: 19, Value: 28-80-23-D4-D1-3D
	    0x0000:  3238 2d38 302d 3233 2d44 342d 4431 2d33
	    0x0010:  44
15:36:41.561807 IP (tos 0x0, ttl 64, id 35707, offset 0, flags [none], proto UDP (17), length 66)
    192.168.5.1.radius > 192.168.5.11.1060: [bad udp cksum 0x8b9c -> 0x152a!] RADIUS, length: 38
	Access Accept (2), id: 0x0b, Authenticator: 3e691b63b337d5f3f49399e5248f8819
	  Tunnel Medium Attribute (65), length: 6, Value: Tag[Unused]802
	    0x0000:  0000 0006
	  Tunnel Type Attribute (64), length: 6, Value: Tag[Unused]#13
	    0x0000:  0000 000d
	  Tunnel Private Group Attribute (81), length: 6, Value: 1002
	    0x0000:  3130 3032

And here is my switch config:

SSH@ICX6430-24P Switch#show run
Current configuration:
!
ver 08.0.10mT311
!
stack unit 1
  module 1 icx6430-24p-poe-port-management-module
  module 2 icx6430-sfp-4port-4g-module
!
!
!
!
vlan 1 name DEFAULT-VLAN by port
!
vlan-group 1 vlan 2 to 100
 add-vlan 103 to 4086
 tagged ethe 1/1/9 to 1/1/24
 no spanning-tree
!
vlan 101 by port
 tagged ethe 1/1/9 to 1/1/24
 untagged ethe 1/1/1
!
vlan 102 by port
 tagged ethe 1/1/9 to 1/1/24
 untagged ethe 1/1/2
!
!
!
!
dot1x-enable
 auth-fail-vlanid 5
 enable ethe 1/1/9 to 1/1/12
!
system-max vlan 4095
!
aaa authentication dot1x default radius
aaa authentication login default local
ip address 192.168.5.11 255.255.255.0
no ip dhcp-client enable
ip default-gateway 192.168.5.1
!
username admin password .....
radius-server host 192.168.5.1 auth-port 1812 acct-port 1813 authentication-only key 2 $UFB7RSxzOUIjY249TVB9d1U/MGlhKw== dot1x
!
!
mac-authentication enable
interface ethernet 1/1/9
 dot1x port-control auto
 dual-mode
 mac-authentication enable
!
interface ethernet 1/1/10
 dot1x port-control auto
 dual-mode
 mac-authentication enable
!
interface ethernet 1/1/11
 dot1x port-control auto
 dual-mode
 mac-authentication enable
 inline power
!
interface ethernet 1/1/12
 dot1x port-control auto
 dual-mode
 mac-authentication enable
 inline power
!
interface ethernet 1/1/13
 dual-mode
 inline power
!
interface ethernet 1/1/14
 dual-mode
 inline power
!
interface ethernet 1/1/15
 dual-mode
!
interface ethernet 1/1/16
 dual-mode
!
interface ethernet 1/1/17
 dual-mode
!
interface ethernet 1/1/18
 dual-mode
!
interface ethernet 1/1/19
 dual-mode
!
interface ethernet 1/1/20
 dual-mode
!
interface ethernet 1/1/21
 dual-mode
!
interface ethernet 1/1/22
 dual-mode
!
interface ethernet 1/1/23
 dual-mode
!
interface ethernet 1/1/24
 dual-mode
!
!
!
!
!
!
!
!
end

Thanks,

 

-gns

 

Occasional Contributor
Posts: 10
Registered: ‎09-16-2016

Re: Switch not allowing devices onto dynamically assigned VLAN but gets Access-Accept

Also, I found this show command. Is there a way to figure out why the switch doesn't like the attributes?

 

SSH@ICX6430-24P Switch#show dot1x mac-sessions

Port  MAC/IP(username)                Vlan Auth    ACL   Age   PAE
                                           State               State
-----------------------------------------------------------------------------
1/1/11 0180.c200.0003 :N/A             1    init    none  N/A   CONNECTING

Thanks,

 

-gns

Occasional Contributor
Posts: 10
Registered: ‎09-16-2016

Re: Switch not allowing devices onto dynamically assigned VLAN but gets Access-Accept

Ok, progress has been made. I needed to have the command:

mac-authentication enable-dynamic-vlan

on each interface.

 

Now when I do a show ip int eth 1/1/12 I see this:

SSH@ICX6430-24P Switch(config)#show int eth 1/1/12
GigabitEthernet1/1/12 is up, line protocol is up
  Port up for 12 minutes 39 seconds
  Hardware is GigabitEthernet, address is 609c.9f7d.b96b (bia 609c.9f7d.b96b)
  Configured speed auto, actual 1Gbit, configured duplex fdx, actual fdx
  Configured mdi mode AUTO, actual MDI
  Member of L2 VLAN ID 1003, port is untagged, port state is FORWARDING
  BPDU guard is Disabled, ROOT protect is Disabled, Designated protect is Disabled
  Link Error Dampening is Disabled
  STP configured to ON, priority is level0, mac-learning is enabled
  Flow Control is config enabled, oper enabled, negotiation disabled
  Mirror disabled, Monitor disabled
  Mac-notification is disabled
  Not member of any active trunks
  Not member of any configured trunks
  No port name
  Inter-Packet Gap (IPG) is 96 bit times
  MTU 1500 bytes
  300 second input rate: 296 bits/sec, 0 packets/sec, 0.00% utilization
  300 second output rate: 32 bits/sec, 0 packets/sec, 0.00% utilization
  527 packets input, 77279 bytes, 0 no buffer
  Received 200 broadcasts, 327 multicasts, 0 unicasts
  0 input errors, 0 CRC, 0 frame, 0 ignored
  0 runts, 0 giants
  338 packets output, 21804 bytes, 0 underruns
  Transmitted 2 broadcasts, 297 multicasts, 39 unicasts
  0 output errors, 0 collisions
  Relay Agent Information option: Disabled

So the interface should be on the rigth VLAN, however I cannot communicate on that VLAN with the machine. It isn't able to pull dhcp (L2 bcast).

 

-gns

Occasional Contributor
Posts: 10
Registered: ‎09-16-2016

Re: Switch not allowing devices onto dynamically assigned VLAN but gets Access-Accept

[ Edited ]

I should add that if I make an interface native on vlan 1003 or 1004 then they get an IP and everything works fine. It is only when they are dynamically assigned this VLAN that they are unable to communicate.

 

-gns

Occasional Contributor
Posts: 10
Registered: ‎09-16-2016

Re: Switch not allowing devices onto dynamically assigned VLAN but gets Access-Accept

Ok, I think the issue is the PAE state. I did the following:

SSH@ICX6430-24P Switch(config)#show dot1x mac-sessions

Port  MAC/IP(username)                Vlan Auth    ACL   Age   PAE
                                           State               State
-----------------------------------------------------------------------------
1/1/10 2880.23d4.d13d :N/A             1004 init    none  S19   CONNECTING

So I think that traffic isn't permitted because the PAE state isn't connected. Does anyone know about this?

 

-gns

Occasional Contributor
Posts: 10
Registered: ‎09-16-2016

Re: Switch not allowing devices onto dynamically assigned VLAN but gets Access-Accept

Ok, I hope someone finds this helpful since this was just a long session of talking to myself. I figured it out. When doing dynamic VLANs you shouldn't use dot1x at all (even though the mechanism is 802.1x MAB). So, I took that stuff out and it works. Below is my config for anyone to use.

 

To summarize my issues:

  • Needed to enable mac-authentication enable-dynamic-vlan
  • Needed to get rid of the dot1x stuff

 

SSH@ICX6430-24P Switch(config)#show run
Current configuration:
!
ver 08.0.10mT311
!
stack unit 1
  module 1 icx6430-24p-poe-port-management-module
  module 2 icx6430-sfp-4port-4g-module
!
!
!
!
vlan 1 name DEFAULT-VLAN by port
!
vlan-group 1 vlan 2 to 100
 add-vlan 103 to 4086
 tagged ethe 1/1/13 to 1/1/24
 no spanning-tree
!
vlan 101 by port
 tagged ethe 1/1/13 to 1/1/24
 untagged ethe 1/1/1
!
vlan 102 by port
 tagged ethe 1/1/13 to 1/1/24
 untagged ethe 1/1/2
!
!
!
!
system-max vlan 4095
!
aaa authentication login default local
ip address 192.168.5.11 255.255.255.0
no ip dhcp-client enable
ip default-gateway 192.168.5.1
!
username admin password .....
radius-server host 192.168.5.1 auth-port 1812 acct-port 1813 authentication-only key 2 $UFB7RSxzOUIjY249TVB9d1U/MGlhKw== dot1x
!
!
mac-authentication enable
interface ethernet 1/1/9
 mac-authentication enable
 mac-authentication enable-dynamic-vlan
!
interface ethernet 1/1/10
 mac-authentication enable
 mac-authentication enable-dynamic-vlan
!
interface ethernet 1/1/11
 mac-authentication enable
 mac-authentication enable-dynamic-vlan
 inline power
!
interface ethernet 1/1/12
 mac-authentication enable
 mac-authentication enable-dynamic-vlan
 inline power
!
interface ethernet 1/1/13
 dual-mode
 inline power
!
interface ethernet 1/1/14
 dual-mode
 inline power
!
interface ethernet 1/1/15
 dual-mode
!
interface ethernet 1/1/16
 dual-mode
!
interface ethernet 1/1/17
 dual-mode
!
interface ethernet 1/1/18
 dual-mode
!
interface ethernet 1/1/19
 dual-mode
!
interface ethernet 1/1/20
 dual-mode
!
interface ethernet 1/1/21
 dual-mode
!
interface ethernet 1/1/22
 dual-mode
!
interface ethernet 1/1/23
 dual-mode
!
interface ethernet 1/1/24
 dual-mode
!
!
!
!
!
!
!
!
end

 

-gns

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.