- Community Home
- >
- Networking
- >
- Switching and Routing
- >
- Aruba & ProVision-based
- >
- Re: 802.1x and radius failure
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-14-2017 01:25 AM
тАО06-14-2017 01:25 AM
802.1x and radius failure
Hi Forum,
I set up a 802.1x with several switchs and a Radius (ACS).
All the config is ok, I have a mac-based auth and also an EAP auth with a user-based control.
In case of success, the Radius is giving the good vlan, so I don't use "auth-vid".
An extract of the config :
------
radius-server host X.X.X.X key "X.X.X.X"
vlan 3
name "USERS"
untagged 20
no ip address
exit
vlan 98
name "FALLBACK"
no ip address
exit
vlan 99
name "VOICE"
tagged 20
no ip address
voice
exit
aaa port-access authenticator 20
aaa port-access authenticator 20 client-limit 3
aaa port-access authenticator active
aaa port-access mac-based 20
aaa port-access mac-based 20 addr-limit 3
------
I have 3 scenarios :
- PC directly connected to a switch --> The radius send untagged vlan 3
- Phone directly connected to a switch --> Radius send to trust the voice vlan config (so vlan 99 tagged)
- Phone with a PC --> Radius send to trust the voice vlan config (so vlan 99 tagged) + Untagged vlan 3
My issue is simple, in case of a network failure, the Radius can be down for several reasons.
I want to have a fallback with an untagged vlan AND a tagged vlan.
With this command, if the radius is not reachable, the switch will put the port (20) in my voice vlan, so the phone is working. In this case, the computer is also on the vlan 99 (untagged) :
aaa port-access mac-based 20 unauth-vid 99
I can't find if it is possible to have, in case of a Radius failure, the Untagged vlan + the tagged vlan?
I'm running on 2530 with YB.16.01.0007
Regards,
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-14-2017 02:39 AM
тАО06-14-2017 02:39 AM
Re: 802.1x and radius failure
Hi Nico31,
you have missed an important command in global config:
"aaa authentication port-access eap-radius"
The other configuration looks fine so far.
To your question:
You are right, that unauth-vid puts the untagged port to 99. I think that the tagged VLAN still stays on this port regardless. you can use "aaa port-acc auth unauth-vid" if you also want by the Radius server rejected clients to join this VLAN.
I'm not 100% sure if the tagged vlan stays on the port, but I'm curious and will test it probably today.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-14-2017 11:35 PM
тАО06-14-2017 11:35 PM
Re: 802.1x and radius failure
Hi,
It works without "aaa authentication port-access eap-radius", I don't know what is the default for "aaa authentication port-access", Local, eap or Chap but I believe it could be eap as far as my request reach my radius server ;)
I'm not sure for the tagged vlan also, I ran the test differently, Untagged Users vlan (3 here) and tagged voice (99 here), it was the config before dot1x, but the phone is giving me a TFTP error with Dot1x.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-02-2018 11:04 PM
тАО02-02-2018 11:04 PM
Re: 802.1x and radius failure
I am facing the same issue, can HP please help here?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-03-2018 05:04 AM
тАО02-03-2018 05:04 AM
Re: 802.1x and radius failure
I added mac-group for mac authentication only for VoIPs.
aaa port-access local-mac mac-group "voip"
Below is the link for full explanation.
Will be happy to answer other questions on it.