HPE Community
Aruba & ProVision-based
1753797 Members
8222 Online
108805 Solutions
New Discussion

Re: 802.1x and MAC Authentication unauth VLAN

 
sscotty
Occasional Contributor

‎05-10-2012 12:55 PM

‎05-10-2012 12:55 PM

802.1x and MAC Authentication unauth VLAN

Hi,

 

My switches are configured as follows

 

vlan 10

   name "DATA"

   ip address 10.1.10.1 255.255.255.0

   exit

vlan 11

   name "VOICE"

   tagged A1-A5

   ip address 10.1.11.1 255.255.255.0

   voice

   exit

vlan 12

   name "GUEST"

   untagged A1-A5"

   ip address 10.1.12.1 255.255.255.0

   exit

radius-server host 10.1.254.1

aaa authentication port-access eap-radius

aaa port-access authenticator A1-A5

aaa port-access authenticator A1-A5 client-limit 3

aaa port-access authenticator active

aaa port-access mac-based A1-A5

aaa port-access mac-based A1 unauth-vid 40

aaa port-access mac-based A2 unauth-vid 40

aaa port-access mac-based A3 unauth-vid 40

aaa port-access mac-based A4 unauth-vid 40

aaa port-access mac-based A5 unauth-vid 40

aaa port-access A1 mixed

aaa port-access A2 mixed

aaa port-access A3 mixed

aaa port-access A4 mixed

aaa port-access A5 mixed

 

My goals are as follows:

 

1) IP phones with pass-through ports to authenticate via MAC address and tag traffic on the voice VLAN 11

2) Trusted PCs to connect the IP phones and authenticate using 802.1x EAP-TLS and connect to radius assigned VLAN 10 

3) Untrusted devices to connect to the unauth VLAN

 

Everything works well apart from two fustrating things. The first is that when the IP phone is connected, it successfully authenticates and tags packets on VLAN 11, the IP phone is up and connects to our IP PBX. When a trusted client connects to the IP phone pass-through port and passes EAP-TLS authentication, the IP phone unauthenticates and reauthenticates which causes the phone to drop from the network, I can only assume that this happens when the untagged VLAN on the port changes from the guest VLAN 11 to the data VLAN 10. This does not happen when either the unauth-vid or mixed commands are removed.

 

The second is that after the trusted client disconnects from the pass-through port and is replaced with an untrusted client, the unstrusted client cannot connect to the unauth VLAN, the 'show port-access mac-based client' only displays the IP phone. The only workaround is to then disconnect and reconnect the IP phone from the switch, this then allows both the IP phone and untrusted client to connect.

 

Has anyone experienced these problems? I have tried various different firmware on the switches but the behaviour is the same. I have also tried changing some of the times and forcing periodic reauthentication but nothing helps

 

 

 

 

0 Kudos
3 REPLIES 3
MichaelvLonden
Advisor

‎05-11-2012 02:48 AM

‎05-11-2012 02:48 AM

Re: 802.1x and MAC Authentication unauth VLAN

Hi,

 

Which type IP phones and firmware do you use?

 

We have Avaya 96xx phones and use H.323 firmware 3.1 SP2

In previous releases there were issues with 802.1X and signing off pc's connected to the phones.

 

Which Procurve firmware do you use?

 

Regards,

Michael

 

0 Kudos
sscotty
Occasional Contributor

‎05-11-2012 07:51 AM

‎05-11-2012 07:51 AM

Re: 802.1x and MAC Authentication unauth VLAN

We are using Polycom CX600s with the latest firmware.

 

Switches are on K_15_06_0008

 

In this situation its the trusted 802.1x device that seems to kick off the IP phones,

 

Also I did read in the Access Security Guide that authenticated devices have priority over guests but this doesn't explain why a guest can connect ok before a trusted device is connected. It seems that after a trusted device authenticates and disconnects, only just future trusted devices can connect, guests can't. I have tested with low logoff times etc but a guest cannot connect again until the port is completely reset.

0 Kudos
bkokken
Occasional Visitor

‎06-07-2014 05:14 AM

‎06-07-2014 05:14 AM

Re: 802.1x and MAC Authentication unauth VLAN

I see similar issues on 2520 switches running J15090022 software.

Setup slighly different:

 

telephone : 802.1x authenticated on tagged VLAN 10 with passthrough port for PC

pc: 802.1x authenticated when part of windows domain, otherwise treated as guest.  

Switch port has untagged guest VLAN configured.

 

This works: pc will be put in NPS supplied VLAN. When a non windows-domain pc is connected, it is put in the guest VLAN via the unauth-vid command on the AUTHENTICATOR config.

 

But if we would like to use MAC authentication as well on the same port, then we only can use the unauth-vid config on the MAC-BASED configuration. Now if we connect an unknown client (no 802.1x, nor MAC address in the NPS stored), I would expect the machine to be placed in the unauth-vid VLAN. But the switch will keep the port in "client not allowed on VLAN" state.

 

Solution would be to configurate a port either for 802.1x or mac-based authentication. But to "have it all " it would be great to use 802.1x then mac authentication and if both fail, have the client connect to the guest VLAN.

 

Any ideas on this?

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.