Aruba & ProVision-based
cancel
Showing results for 
Search instead for 
Did you mean: 

802.1x and radius failure

 
Nico31
Visitor

802.1x and radius failure

Hi Forum,

I set up a 802.1x with several switchs and a Radius (ACS).

All the config is ok, I have a mac-based auth and also an EAP auth with a user-based control.

In case of success, the Radius is giving the good vlan, so I don't use "auth-vid".

An extract of the config :

------

radius-server host X.X.X.X key "X.X.X.X"

vlan 3

   name "USERS"

   untagged 20

   no ip address

   exit

vlan 98

   name "FALLBACK"

   no ip address

   exit

vlan 99

   name "VOICE"

   tagged 20

   no ip address

   voice

   exit

aaa port-access authenticator 20

aaa port-access authenticator 20 client-limit 3

aaa port-access authenticator active

aaa port-access mac-based 20

aaa port-access mac-based 20 addr-limit 3

------

I have 3 scenarios :

- PC directly connected to a switch --> The radius send untagged vlan 3

- Phone directly connected to a switch --> Radius send to trust the voice vlan config (so vlan 99 tagged)

- Phone with a PC --> Radius send to trust the voice vlan config (so vlan 99 tagged) + Untagged vlan 3

 

My issue is simple, in case of a network failure, the Radius can be down for several reasons.

I want to have a fallback with an untagged vlan AND a tagged vlan.

With this command, if the radius is not reachable, the switch will put the port (20) in my voice vlan, so the phone is working. In this case, the computer is also on the vlan 99 (untagged) : 

aaa port-access mac-based 20 unauth-vid 99

I can't find if it is possible to have, in case of a Radius failure, the Untagged vlan + the tagged vlan?

I'm running on 2530 with YB.16.01.0007

 

Regards,

 

4 REPLIES 4
Linkk
Frequent Advisor

Re: 802.1x and radius failure

Hi Nico31,

you have missed an important command in global config:
"aaa authentication port-access eap-radius"
The other configuration looks fine so far.

To your question:
You are right, that unauth-vid puts the untagged port to 99. I think that the tagged VLAN still stays on this port regardless. you can use "aaa port-acc auth unauth-vid" if you also want by the Radius server rejected clients to join this VLAN.

I'm not 100% sure if the tagged vlan stays on the port, but I'm curious and will test it probably today.

Nico31
Visitor

Re: 802.1x and radius failure

Hi,

It works without "aaa authentication port-access eap-radius", I don't know what is the default for "aaa authentication port-access", Local, eap or Chap but I believe it could be eap as far as my request reach my radius server ;)

I'm not sure for the tagged vlan also, I ran the test differently, Untagged Users vlan (3 here) and tagged voice (99 here), it was the config before dot1x, but the phone is giving me a TFTP error with Dot1x.

 

 

nileshkahar
Occasional Visitor

Re: 802.1x and radius failure

I am facing the same issue, can HP please help here?

nileshkahar
Occasional Visitor

Re: 802.1x and radius failure

I added mac-group for mac authentication only for VoIPs.

aaa port-access local-mac mac-group "voip"

Below is the link for full explanation.

http://h22208.www2.hpe.com/eginfolib/networking/docs/switches/K-KA-KB/15-18/5998-8150_access_security_guide/content/index.html

Will be happy to answer other questions on it.