Comware Based
cancel
Showing results for 
Search instead for 
Did you mean: 

How to use mac-authentication to authorize trunk ports on a connection?

MDella
Advisor

How to use mac-authentication to authorize trunk ports on a connection?

So we have two use cases of which we have tenatively solved the first.

 

Use case 1:

When we hook a DL360 up to an A5800 switch, we want the switch to recognize that there is a machine on the port, query the MAC address, look it up in a radius database, and if in there, set the VLAN to one that the radius server reports.  We have this mostly working with one caviat, if the server is idle for more than 90 seconds, the switch "disconnects the port" and refuses to send traffic to the DL360 until the DL360 initiates traffic to re-authenticate the mac address.  I have had to write a keep-alive script on the CentOS 6 machines that "ping" traffic every 60 seconds to keep the port active.

 

 mac-address timer no-aging
#
 mac-authentication
 mac-authentication timer offline-detect 180
 mac-authentication timer quiet 15
 mac-authentication domain gram

#

interface GigabitEthernet1/0/1
 port link-mode bridge
 description Generic Server Position 1
 port link-type hybrid
 undo port hybrid vlan 1
 port hybrid vlan 15 untagged
 port hybrid pvid vlan 15
 mac-vlan enable
 stp edged-port enable
 mac-authentication
 mac-authentication guest-vlan 15

 

In this case, we are on VLAN 15 until we are "authenticated". Once authenticated (with the correct radius payload) we are moved to the new VLAN (however another problem we have is that VLAN 15 is still associated with the port, it doesn't go away).  The VLAN reverts to 15 if there is no traffic for 90 seconds.

 

Any suggestions for those two problems?

 

Use Case #2:

 

In this one, we want to make the connection a trunk to the device (in this case, still a DL360 however running Xen with the network virtual switch software).  On this trunk, we are by default sending VLAN 15 and we want to ADD other VLANs to the trunk as different mac addresses are authenticated.  This way we have virtual servers that are added to the trunk as they come online and off. Not sure how to accomplish this one.