Hello Sebastian,
I try to give you some answers:
- for this B5 in packetfence/switch , I chose: "ExtremeNet Summit series"
this in switches.conf ...
****************************************
[192.168.175.16]
guestVlan=13
defaultVlan=100
description=B5 TEST
isolationVlan=10
radiusSecret=xxxxxxxxx
registrationVlan=150
...
....
....
always_trigger=1
SNMPCommunityWrite=yourcommunity
SNMPVersionTrap=2c
SNMPUserNameTrap= yourcommunity
SNMPEngineID=800015f80320b39966d51e
type=Extreme::Summit
deauthMethod=SNMP
SNMPVersion=2c
voiceVlan=12
****************************************
- make sure the B5 configuration has:
- SNMP community able to write (default is read only), in B5 conf you
have a line like this :"set snmp access yourcommunity security-model v2c exact
read All write All notify All nonvolatile"
- " set policy maptable response tunnel"
When the maptable response is set to tunnel mode ('set policy maptable response
tunnel'), the system will use the vlan-tunnel attributes in the RADIUS reply to
apply a VLAN to the authenticating user and will ignore any Filter-ID
attributes in the RADIUS reply
- make sure that the users defined for login on the switch contain the
sub command "local-only yes" otherwise the admin user is authenticated on the
RADIUS and not locally and therefore no longer able to enter the switch:
" set system login admin super-user enable password :xxxx: local-only yes "
below an example of configuration of the B5(only sections concerned NAC)
authenticated port ge.1.1-44
uplink port ge.1.45
**********************************************************************
set system login admin super-user enable password :xxxxxxx: local-only yes
set system login myuser super-user enable password :xxxxx: local-only yes
!
#vlan
set vlan create 11
set vlan create 12
set vlan create 13
set vlan create 20
set vlan create 100
set vlan create 150
set vlan name 11 "REGISTRATION"
set vlan name 12 "ENEATEL"
set vlan name 13 "GUEST"
set vlan name 20 "MNG"
set vlan name 100 "LAN"
set vlan name 150 "TEST_VXLAN"
clear vlan egress 1 ge.1.1-2
set vlan egress 11 ge.1.45 tagged
set vlan egress 11 ge.1.1-44 untagged
set vlan egress 12 ge.1.45 tagged
set vlan egress 13 ge.1.45 tagged
set vlan egress 20 ge.1.45 tagged
set vlan egress 100 ge.1.45 tagged
set vlan egress 150 ge.1.45 tagged
!
#dhcpsnooping
set dhcpsnooping enable
set dhcpsnooping trust port ge.1.45 enable
!
#eapol
set dot1x enable
set eapol enable
set eapol auth-mode forced-auth ge.1.45
!
#macauthentication
set macauthentication enable
set macauthentication auth-mode radius-username
set macauthentication port enable ge.1.1-44
set macauthentication reauthentication enable ge.1.1-44
#multiauth
set multiauth port mode auth-reqd ge.1.1-44
set multiauth port mode force-auth ge.1.45
set multiauth port numusers 4 ge.1.1-44
set multiauth precedence dot1x mac pwa cep
!
#policy
set policy maptable response tunnel
!
#port
set port vlan ge.1.1-44 11
!
#radius
set radius enable
set radius attribute mgmt password mschapv2
set radius accounting enable
set radius accounting server XXX.XXX.XXX.XXX 1813 :MYSECRET:
set radius server 1 XXX.XXX.XXX.XXX 1812 :MYSERET: realm any
#snmp
set snmp access ro security-model v1 exact read All notify All nonvolatile
set snmp access ro security-model v2c exact read All notify All nonvolatile
set snmp access yourcommunity security-model v1 exact read All write All notify
All nonvolatile
set snmp access yourcommunity security-model v2c exact read All write All
notify All nonvolatile
set snmp access yourcommunity security-model usm exact read All write All
notify All nonvolatile
set snmp community :xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx:
set snmp group ro user ro security-model v1
set snmp group yourcommunity user yourcommunity security-model v1
set snmp group ro user ro security-model v2c
set snmp group yourcommunity user yourcommunity security-model v2c
set snmp group yourcommunity user yourcommunity security-model usm
set snmp user yourcommunity authentication sha :xxxxxxxxxxxxxx: encryption aes
privacy :xxxxxxxxxxxxxxxxxxxxxxxxxxx:
set snmp view viewname All subtree 1
!
#vlanauthorization
set vlanauthorization enable
***********************************************************
NB:
Next time replay to :
[email protected]
otherwise there is only a ping-pong between you and me
ciao
Giacinto
*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/
*/ Giacinto Caretto */
*/ DTE-ICT-RETE */
*/ [email protected] */
*/ ENEATEL 91 206 *
*/ Uff. 0831201 206-234 */
*/ FAX. 0831201 207 */
*/ ENEA - CR Brindisi */
*/ ITALY */
*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/
-----Messaggio originale-----
Da: Birner, Sebastian (StBA Amberg-Sulzbach)
[mailto:[email protected]]
Inviato: giovedì 31 ottobre 2019 12:12
A: Giacinto Caretto
Oggetto: AW: Packetfence Enterasys
Hello Giacinto,
thank you very much for your e-mail.
Sadly you´re right, there isn't a proper amount of useful informations on the
internet
I managed to get this little annoying thing auditing a node to packetfence and
packetfence seems to return via SNMP in the right way, but the Switch isn't
changing the VLAN.
All other ways like "set dot1x" and SNMP-Traps didn´t lead to an auditing or
atleast an Error accept "set macauthentication".
Just to clarify this. You used in packetfence/switches.conf an ExtremeSummit
Type ? Because im useing the Enterasys D2.
That ExtremeSummit-Switches are working so well but I have to say this B5 is
more like working against everything.
Could you maybe show me your Switch-Configuration please ?
Have a nice day
Sebastian
-----Ursprüngliche Nachricht-----
Von: Giacinto Caretto <[email protected]>
Gesendet: Donnerstag, 31. Oktober 2019 11:43
An: [email protected]
Cc: Birner, Sebastian (StBA Amberg-Sulzbach) <[email protected]>
Betreff: R: Packetfence Enterasys
Hello Sebastian,
right in this period I'm trying to integrate the Enterasys B5 switches in my
configuration to try to implement the NAC in some of our sites where these
devices are present.
In the manuals and forums of the binomial enterasys-b5 and packetfence there is
very little or I was not able to find the right sources
In my case these are switches at least 10 years old, I think of the period in
which Enterasys was acquired by Extreme Networks
The firmware, version 06.81.10.0001, has in fact an old-style command
structure, with commands like "set port ...".
In the "network device configuration guide" I read that on the old Enterasys
switches you can only implement:
- linkUp / linkDown
- MAC Locking (Port Security with static MACs) while on the new switches
Extreme network could also be implemented
- Netlogin - MAC Authentication
- Netlogin - 802.1X
My goal is to try to implement also on these old switches Enterasys the
functions of:
- Netlogin - MAC Authentication
- Netlogin - 802.1X
The configuration I am currently testing uses a hybrid mode between Enterasys
approach, essentially based on the use of SNMP, and Extreme Network approach,
based on RADIUS.
In the switch configuration I used:
- Type: ExtremeNet Summit series
- Deauthentication Method: SNMP
In practice I use the RADIUS service for authentication and accounting(switch
-->> packetfence), while for Deauthentication and the CoA (Change of
Authorization) I use SNMP (packetfence -->> switch)
The first tests are positive: even on these old devices I can implement "MAC
Authentication"
and "802.1X"
next goals:
- stress the system to understand any limits
- enter VoIP phones
I hope you can see some light outside the tunnel now ;-) ciao Giacinto
*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/
*/ Giacinto Caretto */ */ DTE-ICT-RETE
*/ */ [email protected] */ */ ENEATEL 91 206
*/ */ Uff. 0831201 206-234 */ */ FAX. 0831201 207
*/
*/ ENEA - CR Brindisi */
*/ ITALY */
*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
