Admin: Text replacement - "Category:Wiki" to "Category:Wiki '''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]''''' "

2026-01-17T08:11:48Z

Text replacement - "Category:Wiki" to "Category:Wiki '''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]''''' "

← Older revision		Revision as of 08:11, 17 January 2026
Line 1:		Line 1:
	[[Category:Wiki]]		[[Category:Wiki]]

			'''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]'''''


	Platforms :		Platforms :

Admin: Text replacement - "Category:Post-It" to "Category:Wiki"

2025-12-08T17:22:38Z

Text replacement - "Category:Post-It" to "Category:Wiki"

← Older revision		Revision as of 17:22, 8 December 2025
Line 1:		Line 1:
	[[Category:~~Post-It~~]]		[[Category:Wiki]]

	Platforms :		Platforms :

Admin at 14:31, 21 October 2024

2024-10-21T14:31:18Z

New page

[[Category:Post-It]]

Platforms :
* OmniSwitch AOS Release 8 Network Configuration Guide December 2019
* OmniSwitch OS6860/OS6900/OS10K Troubleshooting Guide

802.1x debug :

<nowiki>
show unp user authentication-type 802.1x
show unp user detail</nowiki>

== show unp ==

Platforms Supported : OmniSwitch 6900

Displays the Universal Network Profile (UNP) configuration for the switch :

<nowiki>
show unp [unp_name]</nowiki>

* unp_name
** The name of the UNP.

By default, the configuration for all UNPs is displayed.

Enter a UNP name with this command to display information for a specific UNP.
Examples :

<nowiki>
-> show unp
Name Vlan Policy List Name
--------------------------------+----+-------------------------------
Sales 100 list1
Finance 1000 list2

-> show unp Finance
Name Vlan Policy List Name
--------------------------------+----+-------------------------------
Finance 1000 list2</nowiki>

== show unp user ==

Displays the MAC addresses learned on a UNP port and the UNP that was used for classification.

<nowiki>
show unp user [[user_name] | [slot/port[-port2] count]</nowiki>

* user_name
** The name of a specific device (for example, the device MAC address).

* slot/port[-port2]
** The slot and port number (3/1). Use a hyphen to specify a range of ports (3/1-8).

* count
** Displays the number of UNP users.

By default, information is displayed for all learned devices.

=== Examples ===

<nowiki>
-> show unp user
Total users: 3
User Auth
Port Username Mac address IP Vlan UNP Status
----+-----------------+-----------------+---------+----+-------+-------
1/1 00:00:00:00:00:01 00:00:00:00:00:01 10.0.0.1 10 Sales Active
1/1 00:80:df:00:00:02 00:80:df:00:00:02 10.0.0.2 20 Finance Active
1/2 00:80:df:00:00:03 00:80:df:00:00:03 20.0.0.5 30 - Block

-> show unp user 00:00:00:00:00:01
Port : 01/20,
Mac-address : 00:00:00:00:00:01,
IP : 14.15.16.17,
Vlan : 300,
User Network Profile : unp3,
Login Timestamp : 04/01/1970 18:45:26,
Authentication Type : Mac authentication,
Authentication Status : Authenticated,
Classification Source : RADIUS - Server UNP</nowiki>

<nowiki>
-> show unp user 1/1-5
Total users: 3
User Auth
Port UsernameMac address IP Vlan UNP Status
----+-----------------+-----------------+---------+----+-------+-----
1/1 00:00:00:00:00:01 00:00:00:00:00:01 10.0.0.1 10 Sales Active
1/1 00:80:df:00:00:02 00:80:df:00:00:02 10.0.0.2 20 Finance Active
1/2 00:80:df:00:00:03 00:80:df:00:00:03 20.0.0.5 30 - Block
-> show unp user 1/1-5 count
Total users: 3
-> show unp user count
Total users: 3</nowiki>

== Verifying the UNP Port Configuration ==

Use the show unp port config command to display the UNP port configuration. For example:

<nowiki>
-> show unp port 1/1/10 config
Port 1/1/10
Port-Type = BRIDGE,
Redirect Port Bounce = Disabled,
802.1x authentication = Enabled,
802.1x Pass Alternate Profile = -,
802.1x Bypass = Disabled,
802.1x failure-policy = default,
Mac-auth allow-eap = -,
Mac authentication = Enabled,
Mac Pass Alternate Profile = -,
Classification = Enabled,
Trust-tag = Enabled,
Default Profile = -,
Port Domain Num = 0,
AAA Profile = -,
Port Template = bridgeDefaultPortTemplate,
Port Control Direction = Both,
Egress Flooding = Not Allowed,
Admin State = Enabled,
Dynamic Service = -,</nowiki>

== How It Works ==

Dynamic SA Mode - MACsec with Dynamic SAK using MACsec Key Agreement (MKA) Protocol.

The MKA, as described in IEEE 802.1X-2010, is an extension to 802.1X, which provides the required
session keys and manages the required encryption keys used by the underlying MACsec protocol. The
MKA protocol allows peer discovery with confirmation of mutual authentication and sharing of
MACsec secret keys to protect data exchanged by the peers.

There are two modes of provisioning connectivity association keys (CAK/CKN) between two MACsec
endpoints. OmniSwitch supports the following:

* Dynamic SAK using Pre-Shared Key (PSK)
** MACsec using Static Connectivity Association Key (static-CAK) using PSK

* Dynamic SAK using Extensible Authentication Protocol (EAP)
** MACsec using Dynamic Connectivity Association Key (dynamic-CAK) using EAP.

== Dynamic SAK using EAP ==

This mode is applicable for securing link between a host and a switch end-points. Following are some
configuration guidelines when MACsec is set to dynamic SA mode using RADIUS server:
IEEE 802.1X-2010 defines the way that MACsec can be used in conjunction with authentication to
provide secure port-based access control using authentication.

IEEE 802.1X authenticates the endpoint and transmits the necessary cryptographic keying material to both sides. Using the master keys derived
from the IEEE 802.1X authentication, MACsec can establish an encrypted link on the LAN, thereby
helping ensure the security of the authenticated session.

* When configuring MACsec on a switch-to-host link, the MKA session establishment between the
switch and the host is initiated once the 802.1x authentication is successful on the port. The 802.1x
authentication method must be either EAP-TLS or PEAP authentication framework.

* The MKA keys are received from the RADIUS server. A successful 802.1x-authentication results in
MKA keys (MSK and Session-Id), which will be passed from the RADIUS server to the switch and
from RADIUS server to the host in an independent authentication transaction. The master key will then
be passed between the switch and the host to create a MACsec secured connection. The CAK and CKN
is derived from MSK and the EAP session ID.

* CAK and CKN needs to be derived both at the host and the switch, hence 802.1x-authentication using
EAP-TLS must be used as mutual authentication protocol for MACsec Dynamic mode.
After deriving CAK/CKN, the switch acts as the key server. It generates a random SAK, which is sent to
the client. The client is never a key server and can only interact with a single MKA entity, the key server.
After key derivation and generation, the switch sends periodic transports to the client at a default interval
of two seconds

== Statically Assigning Service Profiles for Silent Devices ==

When a MAC address is learned on a UNP port and classified into a service profile, a SAP is dynamically
created based on the parameter values of the service profile. Once the MAC address associated with the
dynamic SAP ages out, the SAP ages out as well. This poses a problem for silent devices connected to
UNP access ports; when the device goes idle and the dynamic SAP ages out, the silent device no longer
receives broadcast or multicast packets to wake the device.

To accommodate silent devices, assign a service profile to the UNP port. When the profile is assigned to
the UNP port, a SAP is dynamically created based on the service parameter values defined for the profile.
This action is automatically triggered even if a MAC address has not been learned on the port.

The SAP that is created when a service profile is assigned to a UNP port is a persistent SAP that will not
age out when any MAC addresses learned on the SAP age out; the SAP continues to receive broadcast and
multicast packets for the silent device even if there are no MAC addresses learned on the SAP.

Consider the following guidelines when statically assigning a service profile for silent devices:

* Make sure the specified UNP profile name already exists in the switch configuration and is mapped to
an SPB, VXLAN, L2 GRE, or static service.

* Profiles mapped to SPB, VXLAN, or static services are configured as static profiles on UNP access
ports.

* Profiles mapped to an L2 GRE service are configured as static profiles on UNP bridge ports.

* More than one SPB or VXLAN service profile can be statically assigned to the same UNP access port,
but mixing service types on the same port is not supported. For example, configure only SPB service
profiles or only VXLAN service profiles for the same access port.

* There can only be one L2 GRE service profile statically assigned to a UNP bridge port.
To assign a service profile to a UNP port, use the unp port profile command. For example, the following
commands configure and assign service profile “static-spb1” to UNP access port 1/4/31:

<nowiki>
-> unp profile static-spb1
-> unp profile static-spb1 map service spb tag-value 10 isid 1500 bvlan 500
-> unp port 1/4/31 port-type access
-> unp port 1/4/31 profile static-spb1</nowiki>

UNP service profile “static-spb1” is mapped to SPB service parameters. When this profile is assigned to
UNP access port 1/4/31, a dynamic SPB SAP is automatically created to process traffic on that port. The
1/4/31 port SAP never ages out and is only taken down when the profile assignment is removed from the
port.

To remove a profile assignment from a UNP port, use the no form of the unp port profile command. For
example:

<nowiki>
-> no unp port 1/4/31 profile static-spb1
Use the show unp port profile command to verify the UNP static profile configuration. For example:
-> show unp port profile
Port Profile
-------+----------------
1/4/31 static-spb1</nowiki>

To verify that a dynamic service and SAP was created automatically when a service profile is assigned to
a UNP port, use the show service and show service ports commands. For example:

<nowiki>
-> show service
Legend: * denotes a dynamic object
All Service Info
Svc SAP Bind
ServiceId Type Adm Oper Stats Count Count Description
----------+-----+----+----+-----+------+------+---------------------------------
32768* SPB Up Down N 1 0 Dynamic Service isid=1500 for UNP
Configuring Access Guardian Configuring Port-Based Network Access Control
OmniSwitch AOS Release 8 Network Configuration Guide December 2019 page 29-57
-> show service 32768 ports
Legend: (*) dyn unicast object (+) remote mcast object (#) local mcast object
SPB Service 32768 (Dynamic Service isid=1500 for UNP)
Admin : Up, Oper : Down, Stats : N, Mtu : 9194, VlanXlation : N,
ISID : 1500, BVlan: 500, MCast-Mode: Headend, Tx/Rx : 0/0, RemoveIngTag: N
Sap Trusted:Priority/ Sap Description /
Identifier Adm Oper Stats Sdp SystemId:BVlan Intf Sdp SystemName
---------------+----+----+-----+--------------------+-------+-------------------
sap:1/4/31:10* Up Down N Y:x 1/4/31 Dynamic SAP for UNP</nowiki>

For more information about the commands described in this section, see the “Access Guardian
Commands” chapter and the “Service Manager Commands” chapter in the OmniSwitch AOS Release 8
CLI Reference Guide.

Statically Assigning VLANs for Silent Devices ==

When a MAC address is learned on a UNP bridge port and classified into a VLAN profile, a VLAN-port
association is dynamically created between the port and the VLAN mapped to the profile. The UNP port
becomes a member of that VLAN. However, when the MAC address ages out, the VLAN-port association
also ages out and the UNP port is no longer a member of that VLAN. This is problematic for silent
devices as they will no longer receive broadcast packets forwarded on the VLAN to wake the device.
To accommodate silent devices, statically assign a VLAN to the UNP bridge port. Doing so will
automatically create a VLAN-port association between the port and VLAN that will not age out even if
there are no MAC addresses learned on the port; the UNP bridge port continues to receive broadcast
packets for any silent device that is connected to the port.

Consider the following guidelines when configuring a static VLAN for a UNP bridge port:

* Static VLANs are only configurable on UNP bridge ports (UNP access ports are not supported).

* Statically assigning a VLAN as an untagged or tagged VLAN for the UNP port is supported.

* When a VLAN is assigned to a UNP bridge port, the port goes into a forwarding state for egress traffic
associated with the VLANs assigned to the port. This automatically occurs even when there is no MAC
address learned on the UNP port in the assigned VLANs and regardless of the direction value (in or
both) set for the port.

To configure an untagged or tagged VLAN assignment for a UNP bridge port, use the unp vlan
command. For example, the following command assigns VLAN 100 as an untagged static VLAN
assignment for UNP port 1/4/45:

<nowiki>
-> unp port 1/4/45 vlan 100</nowiki>

To specify a tagged VLAN assignment, use the tagged parameter with the unp vlan command. For
example:

<nowiki>
-> unp port 1/4/45 vlan 100 tagged
Configuring a UNP port or link aggregate with an untagged and tagged VLAN-port association is allowed
as long as the untagged and tagged VLANs are different. For example, the following commands configure
an untagged and tagged VLAN assignment for the same UNP bridge port:
-> unp port 1/4/45 vlan 100
-> unp port 1/4/45 vlan 200 tagged</nowiki>

== Usefull Links ==

* https://support.alcadis.nl/Support_files/Alcatel-Lucent/OmniSwitch//OS6900/Manuals/OS6900%20AOS%207.2.1%20R01/OS6900%20AOS%207.2.1%20R01%20CLI%20Reference%20Guide.pdf

* https://support.alcadis.nl/Support_files/Alcatel-Lucent/OmniSwitch//OS6900/Technotes/7X%208X%20Troubleshooting%20Guide.pdf

* https://support.alcadis.nl/Support_files/Alcatel-Lucent/OmniSwitch//OS6865/Manuals/OS6865%20AOS%208.6.R02/OS6865%20AOS%208.6.R02%20Network%20Configuration%20Guide.pdf

* https://www.alcatelunleashed.com/viewtopic.php?t=31635

ALCATEL - 802.1x Troubleshoot - Revision history

Admin: Text replacement - "Category:Wiki" to "Category:Wiki '''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]''''' "

Admin: Text replacement - "Category:Post-It" to "Category:Wiki"

Admin at 14:31, 21 October 2024