- Community Home
- >
- Networking
- >
- Switching and Routing
- >
- Aruba & ProVision-based
- >
- Re: 802.1x and MAC Authentication unauth VLAN
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-10-2012 12:55 PM
05-10-2012 12:55 PM
802.1x and MAC Authentication unauth VLAN
Hi,
My switches are configured as follows
vlan 10
name "DATA"
ip address 10.1.10.1 255.255.255.0
exit
vlan 11
name "VOICE"
tagged A1-A5
ip address 10.1.11.1 255.255.255.0
voice
exit
vlan 12
name "GUEST"
untagged A1-A5"
ip address 10.1.12.1 255.255.255.0
exit
radius-server host 10.1.254.1
aaa authentication port-access eap-radius
aaa port-access authenticator A1-A5
aaa port-access authenticator A1-A5 client-limit 3
aaa port-access authenticator active
aaa port-access mac-based A1-A5
aaa port-access mac-based A1 unauth-vid 40
aaa port-access mac-based A2 unauth-vid 40
aaa port-access mac-based A3 unauth-vid 40
aaa port-access mac-based A4 unauth-vid 40
aaa port-access mac-based A5 unauth-vid 40
aaa port-access A1 mixed
aaa port-access A2 mixed
aaa port-access A3 mixed
aaa port-access A4 mixed
aaa port-access A5 mixed
My goals are as follows:
1) IP phones with pass-through ports to authenticate via MAC address and tag traffic on the voice VLAN 11
2) Trusted PCs to connect the IP phones and authenticate using 802.1x EAP-TLS and connect to radius assigned VLAN 10
3) Untrusted devices to connect to the unauth VLAN
Everything works well apart from two fustrating things. The first is that when the IP phone is connected, it successfully authenticates and tags packets on VLAN 11, the IP phone is up and connects to our IP PBX. When a trusted client connects to the IP phone pass-through port and passes EAP-TLS authentication, the IP phone unauthenticates and reauthenticates which causes the phone to drop from the network, I can only assume that this happens when the untagged VLAN on the port changes from the guest VLAN 11 to the data VLAN 10. This does not happen when either the unauth-vid or mixed commands are removed.
The second is that after the trusted client disconnects from the pass-through port and is replaced with an untrusted client, the unstrusted client cannot connect to the unauth VLAN, the 'show port-access mac-based client' only displays the IP phone. The only workaround is to then disconnect and reconnect the IP phone from the switch, this then allows both the IP phone and untrusted client to connect.
Has anyone experienced these problems? I have tried various different firmware on the switches but the behaviour is the same. I have also tried changing some of the times and forcing periodic reauthentication but nothing helps
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-11-2012 02:48 AM
05-11-2012 02:48 AM
Re: 802.1x and MAC Authentication unauth VLAN
Hi,
Which type IP phones and firmware do you use?
We have Avaya 96xx phones and use H.323 firmware 3.1 SP2
In previous releases there were issues with 802.1X and signing off pc's connected to the phones.
Which Procurve firmware do you use?
Regards,
Michael
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-11-2012 07:51 AM
05-11-2012 07:51 AM
Re: 802.1x and MAC Authentication unauth VLAN
We are using Polycom CX600s with the latest firmware.
Switches are on K_15_06_0008
In this situation its the trusted 802.1x device that seems to kick off the IP phones,
Also I did read in the Access Security Guide that authenticated devices have priority over guests but this doesn't explain why a guest can connect ok before a trusted device is connected. It seems that after a trusted device authenticates and disconnects, only just future trusted devices can connect, guests can't. I have tested with low logoff times etc but a guest cannot connect again until the port is completely reset.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-07-2014 05:14 AM
06-07-2014 05:14 AM
Re: 802.1x and MAC Authentication unauth VLAN
I see similar issues on 2520 switches running J15090022 software.
Setup slighly different:
telephone : 802.1x authenticated on tagged VLAN 10 with passthrough port for PC
pc: 802.1x authenticated when part of windows domain, otherwise treated as guest.
Switch port has untagged guest VLAN configured.
This works: pc will be put in NPS supplied VLAN. When a non windows-domain pc is connected, it is put in the guest VLAN via the unauth-vid command on the AUTHENTICATOR config.
But if we would like to use MAC authentication as well on the same port, then we only can use the unauth-vid config on the MAC-BASED configuration. Now if we connect an unknown client (no 802.1x, nor MAC address in the NPS stored), I would expect the machine to be placed in the unauth-vid VLAN. But the switch will keep the port in "client not allowed on VLAN" state.
Solution would be to configurate a port either for 802.1x or mac-based authentication. But to "have it all " it would be great to use 802.1x then mac authentication and if both fail, have the client connect to the guest VLAN.
Any ideas on this?