https://community.hpe.com/t5/switches-hubs-and-modems/bug-procurve-switch-2510g-48-dhcp-problem-with-802-1x/m-p/4792150#M26070 Hello,<BR /><BR />It's a good idea, but I don't find any Y 11.18 version on the ProCurve website (<A href="https://h10145.www1.hp.com/Downloads/SoftwareReleases.aspx?ProductNumber=J9280A" target="_blank">https://h10145.www1.hp.com/Downloads/SoftwareReleases.aspx?ProductNumber=J9280A</A>〈=en,en&amp;cc=us,us&amp;prodSeriesId=3356807)<BR /><BR />Any advise welcome<BR /><BR />Regards<BR /><BR />André<BR /> Fri, 27 May 2011 12:26:14 GMT SysCo al 2011-05-27T12:26:14Z https://community.hpe.com/t5/switches-hubs-and-modems/bug-procurve-switch-2510g-48-dhcp-problem-with-802-1x/m-p/4792148#M26068 Hello,<BR /><BR />Here is the problem:<BR /><BR />Material: ProCurve Switch 2510G-48<BR />Firmware: 11/17/09 Y.11.16<BR /><BR />We want to have 802.1X VLAN authentication, and if no authentication is correct, we want to have a public VLAN.<BR /><BR />Here is the configuration:<BR /><BR />vlan 1<BR /> name "DEFAULT_VLAN"<BR /> no ip address<BR /> no untagged 1-48<BR /> exit<BR />vlan 2<BR /> name "PUBLIC_VLAN"<BR /> no ip address<BR /> exit<BR />vlan 3<BR /> name "PRIVATE_VLAN"<BR /> untagged 1-48<BR /> ip address 192.168.3.1 255.255.255.0<BR /> exit<BR /><BR />aaa authentication port-access eap-radius<BR />radius-server host 192.168.3.2 key mysecretkey<BR />primary-vlan 3<BR />aaa port-access authenticator 1<BR />aaa port-access authenticator 1 auth-vid 3<BR />aaa port-access authenticator 1 unauth-vid 2<BR />aaa port-access authenticator active<BR /><BR />Let's do the test on port 1. Once authentication is done and ok (VLAN 3), the DHCP Discovery broadcasted packet is sent (and received by the DHCP server in the VLAN 3), but the DHCP Offer broadcasted answer packet is never going back to the machine.<BR /><BR />If we are not authenticated (VLAN 2), everything is working fine, the second DHCP in the VLAN 2 receive the Discovery, send the Offer, receive the Request and send the Acknoledgement packet.<BR /><BR />If we connect the machine to the port 2 (always on VLAN 3), the DHCP protocol is working well with the DHCP server in the VLAN 3.<BR /><BR />After sniffing everything in any directions, we discovered that ALL broadcast traffic is never going through an authenticated port, BUT this only if the authenticated port is in the same VLAN as the switch management VLAN ! We didn't find any filter that can be removed or setup.<BR /><BR />Any suggestion welcome, we have spend hours and hours in our configuration, but this is for sure a bug, not a configuration problem.<BR /><BR />Does anybody have a success to do a 802.1X authentication with working DHCP IP distribution in the VLAN of the managed switch with this firmware 11/17/09 Y.11.16 ?<BR /><BR />We have tried downgrading to version 11.12 and it works ! But as a lot of other stuffs have been fixed in 11.16, we would be happy to have a new fixed release for our brand new switch (bought a few weeks ago).<BR /><BR />Thanks in advance for your support.<BR /><BR />Regards,<BR /><BR />André<BR /> Wed, 25 May 2011 16:41:27 GMT https://community.hpe.com/t5/switches-hubs-and-modems/bug-procurve-switch-2510g-48-dhcp-problem-with-802-1x/m-p/4792148#M26068 SysCo al 2011-05-25T16:41:27Z https://community.hpe.com/t5/switches-hubs-and-modems/bug-procurve-switch-2510g-48-dhcp-problem-with-802-1x/m-p/4792149#M26069 upgrade your switch y.11.18 Fri, 27 May 2011 12:00:08 GMT https://community.hpe.com/t5/switches-hubs-and-modems/bug-procurve-switch-2510g-48-dhcp-problem-with-802-1x/m-p/4792149#M26069 cenk sasmaztin 2011-05-27T12:00:08Z https://community.hpe.com/t5/switches-hubs-and-modems/bug-procurve-switch-2510g-48-dhcp-problem-with-802-1x/m-p/4792150#M26070 Hello,<BR /><BR />It's a good idea, but I don't find any Y 11.18 version on the ProCurve website (<A href="https://h10145.www1.hp.com/Downloads/SoftwareReleases.aspx?ProductNumber=J9280A" target="_blank">https://h10145.www1.hp.com/Downloads/SoftwareReleases.aspx?ProductNumber=J9280A</A>〈=en,en&amp;cc=us,us&amp;prodSeriesId=3356807)<BR /><BR />Any advise welcome<BR /><BR />Regards<BR /><BR />André<BR /> Fri, 27 May 2011 12:26:14 GMT https://community.hpe.com/t5/switches-hubs-and-modems/bug-procurve-switch-2510g-48-dhcp-problem-with-802-1x/m-p/4792150#M26070 SysCo al 2011-05-27T12:26:14Z https://community.hpe.com/t5/switches-hubs-and-modems/bug-procurve-switch-2510g-48-dhcp-problem-with-802-1x/m-p/4792151#M26071 Yes, contact Procurve support and request the latest software for your switch. Also request the associated release notes, which they probably won't provide by default. You should see many AAA/802.1x related bug fixes. It appears they are not publicly posting switch software that only contains bug fixes, just new features.<BR /><BR />Another thought is, I beleive this line of your config is redundant:<BR />aaa port-access authenticator 1 auth-vid 3<BR /><BR />You have already set port 1 as untagged on VLAN 3. It should work, but I would try removing it to see if it has any impact. Fri, 27 May 2011 14:40:10 GMT https://community.hpe.com/t5/switches-hubs-and-modems/bug-procurve-switch-2510g-48-dhcp-problem-with-802-1x/m-p/4792151#M26071 Steve Woodward_2 2011-05-27T14:40:10Z https://community.hpe.com/t5/switches-hubs-and-modems/bug-procurve-switch-2510g-48-dhcp-problem-with-802-1x/m-p/4792152#M26072 Thanks for the advise, ticket opened by ProCurve support.<BR /><BR />Regards,<BR /><BR />Andre Mon, 30 May 2011 19:49:04 GMT https://community.hpe.com/t5/switches-hubs-and-modems/bug-procurve-switch-2510g-48-dhcp-problem-with-802-1x/m-p/4792152#M26072 SysCo al 2011-05-30T19:49:04Z