802.1X Dynamic VLAN Compatibility

msilveirabr — Sun, 12 Feb 2017 15:51:17 GMT

Hi all!

I'd like a simple answer from HP: Which Switch series has the capability to set dynamic vlan assignment in 802.1X?

Procurve series only? ( I'm inclined to believe "any" procurve is able to do this )

I've been trying to get it working with OfficeConnect series ( HP1910/1920 series and 3COM 2829 series ).

I get the authentication to work, the Guest and Auth-Fail VLANs working correctly.

I'm using FreeRADIUS server ( simple setup, testing purpose at the moment ), here's my user for trying to assign VLAN100 once authenticated:

vlan100 Cleartext-Password := "@vlan100"
            3Com-VLAN-Name = VLANTEST100,
           HP-Egress-VLAN-Name = VLANTEST100,
            HP-Egress-VLANID = 100,
            Tunnel-Type = VLAN,
            Tunnel-Medium-Type = IEEE-802,
            Tunnel-Private-Group-Id = 100,
            Egress-VLAN-Name = VLANTEST100,
            Egress-VLANID = 100,
            3Com-User-Access-Level = 3Com-Administrator

I'm looking for second hand, cheap Switches capable of this feature, for my home office lab and I found these modesl ( cheapest first ):

HP Procurve A3100 - Jd317a
Hp Procurve Switch 2650 - J4899c
HP Procurve 1410 - J9561a
Hp Procurve E2510g - J9279a

I'm inclined to buy J9279a... I thinks it's the best money for the bucket. I just want the one with the most features of all series above, including the VLAN assignment function.

Thanks in advance!

Re: 802.1X Dynamic VLAN Compatibility

msilveirabr — Tue, 14 Feb 2017 02:34:29 GMT

Well....

It turns out it was needed to fine tune freeradius....

Example of working user:

vlan15 Cleartext-Password := "@vlan15"
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-Id = 15

in /etc/raddb/eap.conf:

Into eap/peap, changed use_tunneled_reply = no to use_tunneled_reply = yes

In /etc/raddb/default and /etc/raddb/inner-tunnel ( not sure if this is really required ):

# eap {
# ok = return
# }
eap

And it is working with V1910 both 3com brand SFP Plus and HP brand

I've managed to get Windows to authenticate/work correctly as well as my OpenWRT setup.

My linux box ( Fedora24 ) isn't very happy yet, I still have to debug the issues with TLS.

topic 802.1X Dynamic VLAN Compatibility in Security e-Series

802.1X Dynamic VLAN Compatibility

Re: 802.1X Dynamic VLAN Compatibility