Ethernet Switches & Routers

Reply
Regular Visitor
Posts: 1
Registered: ‎05-20-2015

DOT1x using Steel Belted Radius server

Hello Community! Brande new here to the Brocade product. I have a pilot site getting deployed and I am having some difficulty with DOT1x.

I did a quick search and did not find anything related to my error.

 

I receive the following on the logs:

Port 1/1/2 Mac <xxxx.xxxx.xxxx> - 802.1x authentication failed for MAC <xxxx.xxxx.xxxx> because of invalid VLAN-ID

 

normally the error seems really obvious. It is the radius AV pairs that are incorrect.

 

Below is the AV pairs getting sent down.

Tunnel-Type = 13

Tunnel-Medium-Type = 6

Tunnel-Private-Group-ID = x (i have tried U:USERS, U:2600, 2600, USERS and i receive the same error )

 

i also have the following AV pairs:

Foundry-802.1x-Valid-Lookup = 1 (tried 0 also)

Foundry-MAC-Authent-Needs-8021x = 1 (tried 0 also)

 

I am unsure if i need the last two AV pairs. The documentation i have read through research suggest that i do. But different examples do not show those AV pairs used so i am confused.

 

Below is a snippet of the config:

!

aaa authentication enable default local
aaa authentication dot1x default radius
aaa authentication login default local enable
aaa authorization exec default radius none
aaa accounting exec default start-stop radius
aaa accounting dot1x default start-stop radius

!

authentication
auth-default-vlan 1000
restricted-vlan 3699
auth-fail-action restricted-vlan
pass-through lldp
dot1x enable
dot1x enable ethe 1/1/2
dot1x timeout tx-period 10
dot1x timeout supplicant 15
mac-authentication enable
mac-authentication password-format xxxx.xxxx.xxxx
mac-authentication dot1x-override

!

radius-server host e.f.g.h auth-port 1645 acct-port 1646 default key 2 <omitted> !(authentication to the node)

radius-server host a.b.c.d auth-port 1812 acct-port 1813 default key 2 <omitted> dot1x
radius-server retransmit 5
radius-server timeout 10
radius-server dead-time 5

!

interface ethernet 1/1/2
dot1x port-control auto
port-name *** TEST DOT1X ***
use-radius-server <omitted> (not sure if this is needed since the dot1x radius server is defined globally)
stp-bpdu-guard

!

 

 

 

Please advise if i am missing configs or have too much!

Regular Visitor
Posts: 1
Registered: ‎12-23-2010

Re: DOT1x using Steel Belted Radius server

Looks like your using the newer 8020+ code that introduces Flex auth?  We found that if you are using DHCP snooping it will not work with dynamic Vlan assignment and throws the exact error you are seeing in this code.  Otherwise try adding the first two listed below to your SBR.   If you can (platform dependent), I would drop down to the 8010c version and let the new Flex auth code mature, plus there are no issues with using snooping.  Here are the return attributes used when using MAC then dot1x order:

Service-Type=2
Framed-Protocol=1
Tunnel-Type=13
Tunnel-Medium-Type=6
Tunnel-Private-Group-ID=U:200
Foundry-MAC-Authent-Needs-8021x=0

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.

Download FREE NVMe eBook