Hi Giacinto, thank you very much for your answer.
Sorry that i didnt answer a little bit earlier, but i needed a little break from this daemon. I´ve tried your configuration, but sadly the switch configuration is nearly the same as mine. There are two things the switch doesnt do. First when I use a VLAN-TAG higher than 99 the switch throughs an error that this TunnelGroupID is higher than 4. Think this is the .0 in the end. And even when I use a ID like 5 for example hes just setting a egress entry without the proper Vlan onto the port. Did you ever get these errors? Thank u very much Sebastian -----Ursprüngliche Nachricht----- Von: Giacinto Caretto <[email protected]> Gesendet: Donnerstag, 31. Oktober 2019 17:07 An: [email protected] Cc: Birner, Sebastian (StBA Amberg-Sulzbach) <[email protected]> Betreff: R: Packetfence Enterasys Hello Sebastian, I try to give you some answers: - for this B5 in packetfence/switch , I chose: "ExtremeNet Summit series" this in switches.conf ... **************************************** [192.168.175.16] guestVlan=13 defaultVlan=100 description=B5 TEST isolationVlan=10 radiusSecret=xxxxxxxxx registrationVlan=150 ... .... .... always_trigger=1 SNMPCommunityWrite=yourcommunity SNMPVersionTrap=2c SNMPUserNameTrap= yourcommunity SNMPEngineID=800015f80320b39966d51e type=Extreme::Summit deauthMethod=SNMP SNMPVersion=2c voiceVlan=12 **************************************** - make sure the B5 configuration has: - SNMP community able to write (default is read only), in B5 conf you have a line like this :"set snmp access yourcommunity security-model v2c exact read All write All notify All nonvolatile" - " set policy maptable response tunnel" When the maptable response is set to tunnel mode ('set policy maptable response tunnel'), the system will use the vlan-tunnel attributes in the RADIUS reply to apply a VLAN to the authenticating user and will ignore any Filter-ID attributes in the RADIUS reply - make sure that the users defined for login on the switch contain the sub command "local-only yes" otherwise the admin user is authenticated on the RADIUS and not locally and therefore no longer able to enter the switch: " set system login admin super-user enable password :xxxx: local-only yes " below an example of configuration of the B5(only sections concerned NAC) authenticated port ge.1.1-44 uplink port ge.1.45 ********************************************************************** set system login admin super-user enable password :xxxxxxx: local-only yes set system login myuser super-user enable password :xxxxx: local-only yes ! #vlan set vlan create 11 set vlan create 12 set vlan create 13 set vlan create 20 set vlan create 100 set vlan create 150 set vlan name 11 "REGISTRATION" set vlan name 12 "ENEATEL" set vlan name 13 "GUEST" set vlan name 20 "MNG" set vlan name 100 "LAN" set vlan name 150 "TEST_VXLAN" clear vlan egress 1 ge.1.1-2 set vlan egress 11 ge.1.45 tagged set vlan egress 11 ge.1.1-44 untagged set vlan egress 12 ge.1.45 tagged set vlan egress 13 ge.1.45 tagged set vlan egress 20 ge.1.45 tagged set vlan egress 100 ge.1.45 tagged set vlan egress 150 ge.1.45 tagged ! #dhcpsnooping set dhcpsnooping enable set dhcpsnooping trust port ge.1.45 enable ! #eapol set dot1x enable set eapol enable set eapol auth-mode forced-auth ge.1.45 ! #macauthentication set macauthentication enable set macauthentication auth-mode radius-username set macauthentication port enable ge.1.1-44 set macauthentication reauthentication enable ge.1.1-44 #multiauth set multiauth port mode auth-reqd ge.1.1-44 set multiauth port mode force-auth ge.1.45 set multiauth port numusers 4 ge.1.1-44 set multiauth precedence dot1x mac pwa cep ! #policy set policy maptable response tunnel ! #port set port vlan ge.1.1-44 11 ! #radius set radius enable set radius attribute mgmt password mschapv2 set radius accounting enable set radius accounting server XXX.XXX.XXX.XXX 1813 :MYSECRET: set radius server 1 XXX.XXX.XXX.XXX 1812 :MYSERET: realm any #snmp set snmp access ro security-model v1 exact read All notify All nonvolatile set snmp access ro security-model v2c exact read All notify All nonvolatile set snmp access yourcommunity security-model v1 exact read All write All notify All nonvolatile set snmp access yourcommunity security-model v2c exact read All write All notify All nonvolatile set snmp access yourcommunity security-model usm exact read All write All notify All nonvolatile set snmp community :xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx: set snmp group ro user ro security-model v1 set snmp group yourcommunity user yourcommunity security-model v1 set snmp group ro user ro security-model v2c set snmp group yourcommunity user yourcommunity security-model v2c set snmp group yourcommunity user yourcommunity security-model usm set snmp user yourcommunity authentication sha :xxxxxxxxxxxxxx: encryption aes privacy :xxxxxxxxxxxxxxxxxxxxxxxxxxx: set snmp view viewname All subtree 1 ! #vlanauthorization set vlanauthorization enable *********************************************************** NB: Next time replay to : [email protected] otherwise there is only a ping-pong between you and me ciao Giacinto */*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/ */ Giacinto Caretto */ */ DTE-ICT-RETE */ */ [email protected] */ */ ENEATEL 91 206 * */ Uff. 0831201 206-234 */ */ FAX. 0831201 207 */ */ ENEA - CR Brindisi */ */ ITALY */ */*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/ -----Messaggio originale----- Da: Birner, Sebastian (StBA Amberg-Sulzbach) [mailto:[email protected]] Inviato: giovedì 31 ottobre 2019 12:12 A: Giacinto Caretto Oggetto: AW: Packetfence Enterasys Hello Giacinto, thank you very much for your e-mail. Sadly you´re right, there isn't a proper amount of useful informations on the internet I managed to get this little annoying thing auditing a node to packetfence and packetfence seems to return via SNMP in the right way, but the Switch isn't changing the VLAN. All other ways like "set dot1x" and SNMP-Traps didn´t lead to an auditing or atleast an Error accept "set macauthentication". Just to clarify this. You used in packetfence/switches.conf an ExtremeSummit Type ? Because im useing the Enterasys D2. That ExtremeSummit-Switches are working so well but I have to say this B5 is more like working against everything. Could you maybe show me your Switch-Configuration please ? Have a nice day Sebastian -----Ursprüngliche Nachricht----- Von: Giacinto Caretto <[email protected]> Gesendet: Donnerstag, 31. Oktober 2019 11:43 An: [email protected] Cc: Birner, Sebastian (StBA Amberg-Sulzbach) <[email protected]> Betreff: R: Packetfence Enterasys Hello Sebastian, right in this period I'm trying to integrate the Enterasys B5 switches in my configuration to try to implement the NAC in some of our sites where these devices are present. In the manuals and forums of the binomial enterasys-b5 and packetfence there is very little or I was not able to find the right sources In my case these are switches at least 10 years old, I think of the period in which Enterasys was acquired by Extreme Networks The firmware, version 06.81.10.0001, has in fact an old-style command structure, with commands like "set port ...". In the "network device configuration guide" I read that on the old Enterasys switches you can only implement: - linkUp / linkDown - MAC Locking (Port Security with static MACs) while on the new switches Extreme network could also be implemented - Netlogin - MAC Authentication - Netlogin - 802.1X My goal is to try to implement also on these old switches Enterasys the functions of: - Netlogin - MAC Authentication - Netlogin - 802.1X The configuration I am currently testing uses a hybrid mode between Enterasys approach, essentially based on the use of SNMP, and Extreme Network approach, based on RADIUS. In the switch configuration I used: - Type: ExtremeNet Summit series - Deauthentication Method: SNMP In practice I use the RADIUS service for authentication and accounting(switch -->> packetfence), while for Deauthentication and the CoA (Change of Authorization) I use SNMP (packetfence -->> switch) The first tests are positive: even on these old devices I can implement "MAC Authentication" and "802.1X" next goals: - stress the system to understand any limits - enter VoIP phones I hope you can see some light outside the tunnel now ;-) ciao Giacinto */*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/ */ Giacinto Caretto */ */ DTE-ICT-RETE */ */ [email protected] */ */ ENEATEL 91 206 */ */ Uff. 0831201 206-234 */ */ FAX. 0831201 207 */ */ ENEA - CR Brindisi */ */ ITALY */ */*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/ _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
