topic Re: MAC & 802.1x on the same network in Switches, Hubs, and Modems

MAC & 802.1x on the same network

Fishka — Tue, 20 Apr 2010 10:36:25 GMT

Hello ,

I would like to unify port configuration for all access (users) ports on my network. In our enterprise we have PC users(laptops and workstations) and devices like phones,printers etc.

Is it possible to configure all ports on hp switches the same way and later manage only MAC and 802.1x policies on Radius Server.

Also I have Radius server ready for deployment.

Regards,
Alexey

Re: MAC & 802.1x on the same network

MichaelvLonden — Wed, 21 Apr 2010 06:25:39 GMT

Hello Alexey,

I used this configuration to authenticate a PC with 802.1X behind IP Phone.
The IP Phone used MAC authentication.

In the Radius server I allowed the vendor code of our Avaya phones for MAC authentication.

I used K.14.47

radius-server host 172.16.1.50
aaa server-group radius "UAC" host 172.16.1.50
aaa authentication port-access eap-radius server-group "UAC"
aaa port-access authenticator B1
aaa port-access authenticator active
aaa port-access mac-based B1

By default a Procurve switch has a limit of 32 clients:
aaa port-access authenticator B1 client-limit 2

This command is necessary if you want to use Wakeup-on-lan:
aaa port-access B1 controlled-direction in

This command is necessary if you want to use
multiple authentication methods
aaa port-access B1 mixed

I hope the answers your question.

Regards,
Michael

Re: MAC & 802.1x on the same network

Fishka — Wed, 21 Apr 2010 08:11:37 GMT

Thanks for your replay.

Do I right understand that in this way in this configuration I will have the same configuration for all ports and 802.1x and MAC authentication simultaneously.

Is your radius server Juniper UAC? I have it also.

Regards,
Alexey

Re: MAC & 802.1x on the same network

MichaelvLonden — Wed, 21 Apr 2010 16:26:40 GMT

Hello Alexey,

Yes, it is possible for all other ports.
I did a proof-of-concept (POC) with Juniper and the Odyssey client.
On Windows XP SP3 machine we did machine authentication and user authentication.
We also did machine authentication with Apple, but this was not with the Odyssey client.

We also going to do a POC with HP IDM and MS NAP.

Kind regards,
Michael

Re: MAC & 802.1x on the same network

Fishka — Thu, 22 Apr 2010 18:05:19 GMT

Michael,
I tried to setup the same config on my 2610 switches and had some problems.
My UAC server successfully assign Phone to VLAN but Phone can't communicate via VOIP VLAN.

Also it's strange that port become down.

sh vlans 200

Status and Counters - VLAN Information - Ports - VLAN 200

VLAN ID : 200
Name : Voice
Status : Port-based
Voice : Yes
Jumbo : No

Port Information Mode Unknown VLAN Stat
---------------- -------- ------------
25 WEBMAC Learn Down
26 Tagged Learn Up

Overridden Port VLAN configuration

Port Mode
---- ------------
25 No

Here is log details :

04/22/10 22:47:18 ports: port 25 is now off-line
I 04/22/10 22:49:26 ports: port 25 is Blocked by AAA

Regards,
Alexey

Re: MAC & 802.1x on the same network

MichaelvLonden — Fri, 23 Apr 2010 10:23:57 GMT

Hi Alexey,

in Infranet Controller I defined a MAC based policy that allowed MAC addresses starting with the vendor code of Avaya phones.

Voice vlans are tagged static vlans and set by Radius.

IP phone boot using LLDP and DHCP option 242 to get their configuration.

Kind regards,
Michael

Re: MAC & 802.1x on the same network

Fishka — Mon, 07 Jun 2010 13:57:26 GMT

Michael,
Thanks for your replays again but I'm still one the same point as several month ago.

1). mixed option is not valid for my hp2610 switches.

2). I don't understand how I can have two vlans (1 - avaya phone, 2 - Users 802.1x) on the same port. It is possible only if VOIP vlan will be tagged. Right?

My question is : How I can configure J-UAC to say to switch when it detects IPPhone to add VOIP VLAN as tagged? And then I will authenticate users via 802.1x and and secure VLAN as untagged.

I don't want to add to all port VOIP vlan as tagged. I need to add assign ALL VLANs(VOIP,USER) dynamically. Is it possible?

Sorry for my English.

Regards,
Alexey