Reset Search
 

 

Article

SecureStack B3 has RFC3580 User Connectivity issues after Upgrade to firmware 6.03.xx

« Go Back

Information

 
TitleSecureStack B3 has RFC3580 User Connectivity issues after Upgrade to firmware 6.03.xx
Symptoms
  • Prior to the upgrade; the user has authenticated, has received the correct vlan-tunnel attribute ('show multiauth session') and has been assigned the correct VLAN ID and VLAN egress ('show vlanauthorization').
  • After the upgrade; the user has authenticated, has received the correct vlan-tunnel attribute ('show multiauth session'), but has not been assigned a VLAN ID or VLAN egress ('show vlanauthorization').
  • The user has lost communication to other devices on the network.
Environment
SecureStack B3, firmware 6.03.00.0022
  • Started with pre-6.03 firmware.
  • Activated policy licensing ('set license policy...'), but added no policy ('set policy...') commands.
  • Configured RFC3580 VLAN Tunneling ('set vlanauthorization enable') and RADIUS ('set radius...'), in combination with 802.1x ('set dot1x...', 'set eap...') , PWA ('set pwa...'), and/or MAC ('set macauthentication...') authentication; and possibly Multi-authentication ('set multiauth...').
  • As expected, the RADIUS server correctly authenticates network users onto the system, and upon an Access-Accept result, returns a VLAN specification to the SecureStack to be applied to the user's network access policy.
  • Then, upgraded to firmware 6.03.00.0022 or higher.
Cause
This issue has to do with the default state of the 'set policy maptable response {policy | tunnel | both}' command:
  • When the maptable response is set to policy mode ('set policy maptable response policy'), the system will use the Filter-ID attributes in the RADIUS reply to apply a policy to the authenticating user and will ignore any vlan-tunnel attributes in the RADIUS reply.
  • When the maptable response is set to tunnel mode ('set policy maptable response tunnel'), the system will use the vlan-tunnel attributes in the RADIUS reply to apply a VLAN to the authenticating user and will ignore any Filter-ID attributes in the RADIUS reply.
  • When the maptable response is set to both ('set policy maptable response both') - otherwise known as hybrid authentication mode - both Filter-ID attributes (dynamic policy assignment) and vlan-tunnel attributes (dynamic VLAN assignment) sent in RADIUS server Access-Accept replies are used to determine how the switch should handle authenticating users. This mode requires firmware 6.03.00.0022 or higher - see the 'What's New in 6.03' section of release notes.
One further factor is that - of firmware 6.03 compatible devices - the C3 and G-Series have policy functionality by default, while the B3 requires licensing in order to activate policy.

Given the background as stated above, here are the default maptable response modes for the B3, in the absence of user specification:
  • With pre-6.03 firmware...
    • if there is no policy licensing and thus no policy commands, behavior defaults to emulating "tunnel mode".
    • if policy is licensed but there are no policy commands, "policy mode" is used - however, RFC3580 tunnel parameters are honored.
    • If policy is licensed and policy commands exist, "policy mode" is used exclusively.
  • With firmware 6.03 and higher...
    • if there is no policy licensing and thus no policy commands, behavior defaults to emulating "tunnel mode".
    • if policy is licensed but there are no policy commands, "policy mode" is used exclusively.
      This behavioral change was implemented to match pre-existing C3, C2, G-Series, and N-Series behavior.
    • If policy is licensed and policy commands exist, "policy mode" is used exclusively.
The behavioral change is relevant to B3 users who plan to run firmware 6.03 with policy licensing, no policy commands, and RFC3580. Previously a special dispensation in the firmware logic allowed RFC3580 to function under these circumstances. That logic has now been removed.
Resolution
Functions as Designed (FAD).

To match pre-6.03 behavior, add the command 'set policy maptable response tunnel'.
Or, optionally add the command 'set policy maptable response both'.

As desired, you may review the Configuration Guide's "RADIUS Filter-ID Attribute and Dynamic Policy Profile Assignment" section for more information about Filter-ID attributes and the "Configuring VLAN Authorization (RFC 3580)" section for more information about vlan-tunnel attributes.
Additional notes
See also Hub KBs 5781, 5834, 7312, and 10283.

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255