ALCATEL - 802.1x Troubleshoot
Platforms :
- OmniSwitch AOS Release 8 Network Configuration Guide December 2019
- OmniSwitch OS6860/OS6900/OS10K Troubleshooting Guide
802.1x debug :
show unp user authentication-type 802.1x show unp user detail
show unp
Platforms Supported : OmniSwitch 6900
Displays the Universal Network Profile (UNP) configuration for the switch :
show unp [unp_name]
- unp_name
- The name of the UNP.
By default, the configuration for all UNPs is displayed.
Enter a UNP name with this command to display information for a specific UNP. Examples :
-> show unp Name Vlan Policy List Name --------------------------------+----+------------------------------- Sales 100 list1 Finance 1000 list2 -> show unp Finance Name Vlan Policy List Name --------------------------------+----+------------------------------- Finance 1000 list2
show unp user
Displays the MAC addresses learned on a UNP port and the UNP that was used for classification.
show unp user [[user_name] | [slot/port[-port2] count]
- user_name
- The name of a specific device (for example, the device MAC address).
- slot/port[-port2]
- The slot and port number (3/1). Use a hyphen to specify a range of ports (3/1-8).
- count
- Displays the number of UNP users.
By default, information is displayed for all learned devices.
Examples
-> show unp user Total users: 3 User Auth Port Username Mac address IP Vlan UNP Status ----+-----------------+-----------------+---------+----+-------+------- 1/1 00:00:00:00:00:01 00:00:00:00:00:01 10.0.0.1 10 Sales Active 1/1 00:80:df:00:00:02 00:80:df:00:00:02 10.0.0.2 20 Finance Active 1/2 00:80:df:00:00:03 00:80:df:00:00:03 20.0.0.5 30 - Block -> show unp user 00:00:00:00:00:01 Port : 01/20, Mac-address : 00:00:00:00:00:01, IP : 14.15.16.17, Vlan : 300, User Network Profile : unp3, Login Timestamp : 04/01/1970 18:45:26, Authentication Type : Mac authentication, Authentication Status : Authenticated, Classification Source : RADIUS - Server UNP
-> show unp user 1/1-5 Total users: 3 User Auth Port UsernameMac address IP Vlan UNP Status ----+-----------------+-----------------+---------+----+-------+----- 1/1 00:00:00:00:00:01 00:00:00:00:00:01 10.0.0.1 10 Sales Active 1/1 00:80:df:00:00:02 00:80:df:00:00:02 10.0.0.2 20 Finance Active 1/2 00:80:df:00:00:03 00:80:df:00:00:03 20.0.0.5 30 - Block -> show unp user 1/1-5 count Total users: 3 -> show unp user count Total users: 3
Verifying the UNP Port Configuration
Use the show unp port config command to display the UNP port configuration. For example:
-> show unp port 1/1/10 config Port 1/1/10 Port-Type = BRIDGE, Redirect Port Bounce = Disabled, 802.1x authentication = Enabled, 802.1x Pass Alternate Profile = -, 802.1x Bypass = Disabled, 802.1x failure-policy = default, Mac-auth allow-eap = -, Mac authentication = Enabled, Mac Pass Alternate Profile = -, Classification = Enabled, Trust-tag = Enabled, Default Profile = -, Port Domain Num = 0, AAA Profile = -, Port Template = bridgeDefaultPortTemplate, Port Control Direction = Both, Egress Flooding = Not Allowed, Admin State = Enabled, Dynamic Service = -,
How It Works
Dynamic SA Mode - MACsec with Dynamic SAK using MACsec Key Agreement (MKA) Protocol.
The MKA, as described in IEEE 802.1X-2010, is an extension to 802.1X, which provides the required session keys and manages the required encryption keys used by the underlying MACsec protocol. The MKA protocol allows peer discovery with confirmation of mutual authentication and sharing of MACsec secret keys to protect data exchanged by the peers.
There are two modes of provisioning connectivity association keys (CAK/CKN) between two MACsec endpoints. OmniSwitch supports the following:
- Dynamic SAK using Pre-Shared Key (PSK)
- MACsec using Static Connectivity Association Key (static-CAK) using PSK
- Dynamic SAK using Extensible Authentication Protocol (EAP)
- MACsec using Dynamic Connectivity Association Key (dynamic-CAK) using EAP.
Dynamic SAK using EAP
This mode is applicable for securing link between a host and a switch end-points. Following are some configuration guidelines when MACsec is set to dynamic SA mode using RADIUS server: IEEE 802.1X-2010 defines the way that MACsec can be used in conjunction with authentication to provide secure port-based access control using authentication.
IEEE 802.1X authenticates the endpoint and transmits the necessary cryptographic keying material to both sides. Using the master keys derived from the IEEE 802.1X authentication, MACsec can establish an encrypted link on the LAN, thereby helping ensure the security of the authenticated session.
- When configuring MACsec on a switch-to-host link, the MKA session establishment between the
switch and the host is initiated once the 802.1x authentication is successful on the port. The 802.1x authentication method must be either EAP-TLS or PEAP authentication framework.
- The MKA keys are received from the RADIUS server. A successful 802.1x-authentication results in
MKA keys (MSK and Session-Id), which will be passed from the RADIUS server to the switch and from RADIUS server to the host in an independent authentication transaction. The master key will then be passed between the switch and the host to create a MACsec secured connection. The CAK and CKN is derived from MSK and the EAP session ID.
- CAK and CKN needs to be derived both at the host and the switch, hence 802.1x-authentication using
EAP-TLS must be used as mutual authentication protocol for MACsec Dynamic mode. After deriving CAK/CKN, the switch acts as the key server. It generates a random SAK, which is sent to the client. The client is never a key server and can only interact with a single MKA entity, the key server. After key derivation and generation, the switch sends periodic transports to the client at a default interval of two seconds
Statically Assigning Service Profiles for Silent Devices
When a MAC address is learned on a UNP port and classified into a service profile, a SAP is dynamically created based on the parameter values of the service profile. Once the MAC address associated with the dynamic SAP ages out, the SAP ages out as well. This poses a problem for silent devices connected to UNP access ports; when the device goes idle and the dynamic SAP ages out, the silent device no longer receives broadcast or multicast packets to wake the device.
To accommodate silent devices, assign a service profile to the UNP port. When the profile is assigned to the UNP port, a SAP is dynamically created based on the service parameter values defined for the profile. This action is automatically triggered even if a MAC address has not been learned on the port.
The SAP that is created when a service profile is assigned to a UNP port is a persistent SAP that will not age out when any MAC addresses learned on the SAP age out; the SAP continues to receive broadcast and multicast packets for the silent device even if there are no MAC addresses learned on the SAP.
Consider the following guidelines when statically assigning a service profile for silent devices:
- Make sure the specified UNP profile name already exists in the switch configuration and is mapped to
an SPB, VXLAN, L2 GRE, or static service.
- Profiles mapped to SPB, VXLAN, or static services are configured as static profiles on UNP access
ports.
- Profiles mapped to an L2 GRE service are configured as static profiles on UNP bridge ports.
- More than one SPB or VXLAN service profile can be statically assigned to the same UNP access port,
but mixing service types on the same port is not supported. For example, configure only SPB service profiles or only VXLAN service profiles for the same access port.
- There can only be one L2 GRE service profile statically assigned to a UNP bridge port.
To assign a service profile to a UNP port, use the unp port profile command. For example, the following commands configure and assign service profile “static-spb1” to UNP access port 1/4/31:
-> unp profile static-spb1 -> unp profile static-spb1 map service spb tag-value 10 isid 1500 bvlan 500 -> unp port 1/4/31 port-type access -> unp port 1/4/31 profile static-spb1
UNP service profile “static-spb1” is mapped to SPB service parameters. When this profile is assigned to UNP access port 1/4/31, a dynamic SPB SAP is automatically created to process traffic on that port. The 1/4/31 port SAP never ages out and is only taken down when the profile assignment is removed from the port.
To remove a profile assignment from a UNP port, use the no form of the unp port profile command. For example:
-> no unp port 1/4/31 profile static-spb1 Use the show unp port profile command to verify the UNP static profile configuration. For example: -> show unp port profile Port Profile -------+---------------- 1/4/31 static-spb1
To verify that a dynamic service and SAP was created automatically when a service profile is assigned to a UNP port, use the show service and show service ports commands. For example:
-> show service Legend: * denotes a dynamic object All Service Info Svc SAP Bind ServiceId Type Adm Oper Stats Count Count Description ----------+-----+----+----+-----+------+------+--------------------------------- 32768* SPB Up Down N 1 0 Dynamic Service isid=1500 for UNP Configuring Access Guardian Configuring Port-Based Network Access Control OmniSwitch AOS Release 8 Network Configuration Guide December 2019 page 29-57 -> show service 32768 ports Legend: (*) dyn unicast object (+) remote mcast object (#) local mcast object SPB Service 32768 (Dynamic Service isid=1500 for UNP) Admin : Up, Oper : Down, Stats : N, Mtu : 9194, VlanXlation : N, ISID : 1500, BVlan: 500, MCast-Mode: Headend, Tx/Rx : 0/0, RemoveIngTag: N Sap Trusted:Priority/ Sap Description / Identifier Adm Oper Stats Sdp SystemId:BVlan Intf Sdp SystemName ---------------+----+----+-----+--------------------+-------+------------------- sap:1/4/31:10* Up Down N Y:x 1/4/31 Dynamic SAP for UNP
For more information about the commands described in this section, see the “Access Guardian Commands” chapter and the “Service Manager Commands” chapter in the OmniSwitch AOS Release 8 CLI Reference Guide.
Statically Assigning VLANs for Silent Devices ==
When a MAC address is learned on a UNP bridge port and classified into a VLAN profile, a VLAN-port association is dynamically created between the port and the VLAN mapped to the profile. The UNP port becomes a member of that VLAN. However, when the MAC address ages out, the VLAN-port association also ages out and the UNP port is no longer a member of that VLAN. This is problematic for silent devices as they will no longer receive broadcast packets forwarded on the VLAN to wake the device. To accommodate silent devices, statically assign a VLAN to the UNP bridge port. Doing so will automatically create a VLAN-port association between the port and VLAN that will not age out even if there are no MAC addresses learned on the port; the UNP bridge port continues to receive broadcast packets for any silent device that is connected to the port.
Consider the following guidelines when configuring a static VLAN for a UNP bridge port:
- Static VLANs are only configurable on UNP bridge ports (UNP access ports are not supported).
- Statically assigning a VLAN as an untagged or tagged VLAN for the UNP port is supported.
- When a VLAN is assigned to a UNP bridge port, the port goes into a forwarding state for egress traffic
associated with the VLANs assigned to the port. This automatically occurs even when there is no MAC address learned on the UNP port in the assigned VLANs and regardless of the direction value (in or both) set for the port.
To configure an untagged or tagged VLAN assignment for a UNP bridge port, use the unp vlan command. For example, the following command assigns VLAN 100 as an untagged static VLAN assignment for UNP port 1/4/45:
-> unp port 1/4/45 vlan 100
To specify a tagged VLAN assignment, use the tagged parameter with the unp vlan command. For example:
-> unp port 1/4/45 vlan 100 tagged Configuring a UNP port or link aggregate with an untagged and tagged VLAN-port association is allowed as long as the untagged and tagged VLANs are different. For example, the following commands configure an untagged and tagged VLAN assignment for the same UNP bridge port: -> unp port 1/4/45 vlan 100 -> unp port 1/4/45 vlan 200 tagged
