HPE Community
Aruba & ProVision-based
1751968 Members
4724 Online
108783 Solutions
New Discussion

802.1x Multiple-auth with different Vlans

 
ghel
Occasional Contributor

‎08-07-2017 10:21 PM

‎08-07-2017 10:21 PM

802.1x Multiple-auth with different Vlans

Hi,

we have a Procurve 5412zl (J8698A) switch. I managed to implement 802.1x authentication successfully. I am using Mac-Based authentication for Printers, Phones, Dect stations and WiFi Ap's. For the users User-Based authentication.

Now we have 10-15 unmanaged dumb desktop switches in some offices. Unfortunately not all users connected to those dumb switches are from the same department, which means each needs to be authenticated to get the correct Vlan, which doen't work with these dumb switches, so I start playing around with a managed Vlan and 802.1x capable switch as a replacement for the unmanaged dumb switch. The new switch is connected to the Procurve 5412zl (J8698A) over a port wich can do both Mac-Based and User-Based authentication, the new switch is authenticated over the Mac address. I enabled the 802.1x feature on the new switch, unfortunately I couldn't authenticate at all, the request to freeradius is accepted and the Access accept is sent to the client.

On the Procurve 5412zl (J8698A) no Vlan is tagged on this specific port, only the Vlan of the switch is untagged. When I connect to HP port directly it works as expected for all devices, but not with the other switch in between.

I don't know what I am missing here!

We have a ring typology and the HP switch is not the core switch.

Is the Procurve 5412zl (J8698A) capable to make this scenario possible?

How can I authenticate one user, multiple users with different Vlans?

Best

0 Kudos
1 REPLY 1
ghel
Occasional Contributor

‎08-09-2017 12:21 AM - edited ‎08-09-2017 12:24 AM

‎08-09-2017 12:21 AM - edited ‎08-09-2017 12:24 AM

Re: 802.1x Multiple-auth with different Vlans

Hi,

no idea here?  once I connect the Unifi switch it gets authenticated with Mac-Address and Vlan 2 is untagged on the port of the HP switch :

 

switch-north1(config)# show vlans ports a18

 Status and Counters - VLAN Information - for ports A18

  VLAN ID Name                             | Status     Voice Jumbo
  ------- -------------------------------- + ---------- ----- -----
  2       NetworkComponents                | Port-based No    No

 

when I try to connect with 802.1x with my client I see the following message in the logging of the Unifi switch:

UBNT daemon.notice switch: TRAPMGR: Link Up: 0/4
UBNT daemon.notice switch: DOT1X: Dot1x Authenticated Successfully

The logging of the HP switch doen't show any thing

I tried on the Procurve 5412zl (J8698A) the following:

  • tagging the vlan (vlan 10) on port A18 and then:
    aaa port-access authenticator A18
aaa port-access authenticator A18 client-limit 2
aaa port-access mac-based A18
aaa port-access mac-based A18 addr-limit 2
  • I tried it the other way around:
    aaa port-access authenticator A18
aaa port-access authenticator A18 client-limit 2
aaa port-access mac-based A18
aaa port-access mac-based A18 addr-limit 2
aaa authentication allow-vlan tagged
vlan 10 tagged A18
  • I tried it with:
    aaa port-access A18 mixed

 

Unfortunately nothing worked and I couldn't authenticate the user. Without the intermediate switch every thing works as expected and I have to use at least 5 intermediate switches. I am also able to use the HP 1820-8G switch instead of the Unifi if it would help.

I would be happy for any hint here.

Thanks

 

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.