Ethernet Switching
Highlighted
Ethernet Switching

EX4200 - virtual routers seem to stop dot1x from working

‎08-31-2011 11:58 PM

We are using 11.1R2.3 on a chassis stack of EX4200 switches.

 

I've been working on getting dot1x implemented on the switches, in conjunction with a Microsoft NPS RADIUS server, so that we can do dynamic VLAN switching for users depending on whether or not they are a guest and, if they are staff, what sort of employee they are.

 

Here is the config I have for that piece:

 

protocols {
    dot1x {
        authenticator {
            authentication-profile-name prof1;
            interface {
                ge-2/0/19.0 {
                    supplicant single;
                    guest-vlan DMZ_vlan;
                }
            }
        }
    }
}

 

access {
    radius-server {
        193.63.211.21 secret "$9$LDMX7VgoJHkPWL-wsYGU0O1Ehr8LNwY4qmcyrlMWVwYgUifTzn6CQzt01hKv"; ## SECRET-DATA
    }
    profile prof1 {
        authentication-order radius;
        radius {
            authentication-server 193.63.211.21;
        }
    }
}

This was working reasonably well (I've got some issues on the client side but that is for MS to help me resolve) until I introduced virtual routers.

 

The virtual router configuration was introduced in order to stop traffic on the "department" VLANs from automatically being passed to the DMZ VLAN by the switch rather than going out into the J-series router and then back in again. Full thread here: http://forums.juniper.net/t5/Ethernet-Switching/EX4200s-need-to-control-traffic-between-VLANs/td-p/1...

 

Here is the problem: if I have the virtual router configuration in place, dot1x stops ... dead. There is NO traffic coming from the switch to the RADIUS server to perform any authentication. Remove the virtual router parts and dot1x starts working again.

 

What do I need to do to have dot1x working in conjunction with the virtual routers, please?

 

Philip

 

3 REPLIES 3
Highlighted
Ethernet Switching

Re: EX4200 - virtual routers seem to stop dot1x from working

‎09-01-2011 12:46 AM

This is very strange ... I've just tried pinging the RADIUS server from within the switch, and I get:

 

PING 193.63.211.21 (193.63.211.21): 56 data bytes
ping: sendto: No route to host
ping: sendto: No route to host
ping: sendto: No route to host
ping: sendto: No route to host

The RADIUS server is connected to the switch chassis:

 

show arp | grep 193.63.211.21

00:15:5d:04:07:21 193.63.211.21   193.63.211.21             vlan.211            none

 

The switch's main interface is in the same VLAN, as shown in the routing table:

 

VR_Private.inet.0: 13 destinations, 13 routes (13 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Static/5] 00:56:25
                    > to 193.63.211.1 via vlan.211
10.100.1.254/32    *[Local/0] 00:56:24
                      Reject
10.100.2.0/24      *[Direct/0] 00:56:24
                    > via vlan.102
10.100.2.254/32    *[Local/0] 00:56:24
                      Local via vlan.102
10.100.3.0/24      *[Direct/0] 00:56:24
                    > via vlan.103
10.100.3.254/32    *[Local/0] 00:56:24
                      Local via vlan.103
10.100.4.0/24      *[Direct/0] 00:56:25
                    > via vlan.104
10.100.4.254/32    *[Local/0] 00:56:25
                      Local via vlan.104
193.63.90.1/32     *[Local/0] 00:56:24
                      Reject
193.63.90.128/25   *[Direct/0] 00:56:24
                    > via vlan.91
193.63.90.129/32   *[Local/0] 00:56:24
                      Local via vlan.91
193.63.211.0/25    *[Direct/0] 00:56:25
                    > via vlan.211
193.63.211.9/32    *[Local/0] 00:56:25
                      Local via vlan.211

 

So 193.63.211.9 is in the same VLAN as the RADIUS server, and that VLAN is in VR_Private.

 

So why does the switch suddenly think there isn't a route to the RADIUS server?

 

Highlighted
Ethernet Switching

Re: EX4200 - virtual routers seem to stop dot1x from working

‎09-01-2011 01:08 AM

it@dante.net wrote:

193.63.211.9/32    *[Local/0] 00:56:25
                      Local via vlan.211

 


That bit seems to be a lie. If I run the command show route forwarding-table, I see this:

 

193.63.211.9/32    intf     0 193.63.211.9       locl  1344     2
193.63.211.9/32    dest     0 193.63.211.9       locl  1344     2

 

Note that the lines do not end with vlan.211 as they do for the physical interfaces on the switch, e.g.:

 

193.63.211.21/32   dest     0 0:15:5d:4:7:21     ucst  1631     1 vlan.211

 

Indeed, any of the IP addresses that have been assigned to the switch for RVIs or anything else don't get listed in a VLAN, but they are being listed in the VR_Private.inet routing table, so I'm still stumped on this one.



 

Highlighted
Ethernet Switching

Re: EX4200 - virtual routers seem to stop dot1x from working

‎09-01-2011 01:43 AM

I found the answer. You have to explicitly specify the virtual router instance within the RADIUS configuration:

 

routing-instance VR_Private;

 

and then RADIUS traffic flows again.

 

Still can't ping from the switch but authentication is working so I'm at least reasonably happy.

 

Feedback