- Community Home
- >
- Networking
- >
- Switching and Routing
- >
- Aruba & ProVision-based
- >
- Re: Allow tagged vlans for unauthorized devices on...
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-10-2016 02:24 AM
тАО08-10-2016 02:24 AM
Allow tagged vlans for unauthorized devices on port
Hi there,
I'm curious if it is possible to allow tagged vlan traffic on a port, on which 802.1x is configured and on which the client is not 802.1x capable...
Example config for the port:
interface 1/1
tagged vlan 40
aaa port-access authenticator
aaa port-access authenticator auth-vid 50
aaa port-access authenticator unauth-vid 100
spanning-tree bpdu-protection
loop-protect
exit
The client, which is not 802.1x capable should be able to go into vlan 40 with its tagged traffic....
Is this possible ? If tried it but it is not working... I'm always getting into vlan 100 and I'm not able to do anything in vlan 40. Is this simply not possible or is there something that I'm missing ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-10-2016 06:08 AM - edited тАО08-10-2016 06:09 AM
тАО08-10-2016 06:08 AM - edited тАО08-10-2016 06:09 AM
Re: Allow tagged vlans for unauthorized devices on port
Do you mean to allow Tagged VLAN for unsupported (not unauthorized) devices that present on that IEEE 802.1X enabled port?
From what you wrote it seems that unauthorized devices will be yet manged into VLAN 100 and you want that unsupported devices (not 802.1X capable clients) will be instead managed into VLAN 40.
Is that right? if so, the thread title is a little bit confusing.
Apparently it looks similar to Cisco 802.1X with Guest VLANs...
I'm not an HPE Employee
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-10-2016 06:32 AM - edited тАО08-10-2016 06:38 AM
тАО08-10-2016 06:32 AM - edited тАО08-10-2016 06:38 AM
Re: Allow tagged vlans for unauthorized devices on port
Don't know in ProVision based Switches...but in Comware 7 based Switches (and also in Comware 5) there should be a command (the dot1x guest-vlan) that could be what you're looking for:
dot1x guest-vlan Use dot1x guest-vlan to configure an 802.1X guest VLAN for the specified or all ports. A guest VLAN on a port accommodates users who have not performed 802.1X authentication. In the guest VLAN, users can access a limited set of network resources, such as a software server, to download anti-virus software and system patches. Use undo dot1x guest-vlan to remove the 802.1X guest VLAN on the specified or all ports. Syntax In system view: dot1x guest-vlan guest-vlan-id [ interface interface-list ] undo dot1x guest-vlan [ interface interface-list ] In Layer 2 Ethernet interface view: dot1x guest-vlan guest-vlan-id undo dot1x guest-vlan Default No 802.1X guest VLAN is configured on a port. Views System view, Layer 2 Ethernet interface view Default command level 2: System level Parameters guest-vlan-id: Specifies the ID of the VLAN to be specified as the 802.1X guest VLAN,
in the range of 1 to 4094. Make sure that the VLAN has been created and is not a super VLAN.
For more information about super VLANs, see "Layer 2тАФLAN Switching Configuration Guide".
interface interface-list: Specifies a port list.
The interface-list argument is in the format of
interface-list = { interface-type interface-number [ to interface-type interface-number ] } & <1-10>,
where interface-type represents the port type, interface-number represents the port number,
and & <1-10> means that you can provide up to 10 ports or port ranges.
The start port number must be smaller than the end number and the two ports must be
of the same type.
If no interface is specified, you configure an 802.1X guest VLAN for all Layer 2 Ethernet ports.
Usage guidelines You must enable 802.1X for an 802.1X guest VLAN to take effect. To have the 802.1X guest VLAN take effect, complete the following tasks:
* Enable 802.1X both globally and on the interface.
* If the port performs port-based access control, enable the 802.1X multicast trigger function.
* If the port performs MAC-based access control, configure the MAC-based VLAN function on the port. When you change the access control method from MAC-based to port-based on a port that carries a guest VLAN, the mappings between MAC addresses and the 802.1X guest VLAN are removed. You can use the display mac-vlan command to display MAC-to-VLAN mappings. When you change the access control method from port-based to MAC-based on a port that is in a guest VLAN, the port is removed from the guest VLAN. To delete a VLAN that has been configured as a guest VLAN, you must first remove the guest VLAN configuration. You can configure both an Auth-Fail VLAN and an 802.1X guest VLAN on a port. Examples # Specify VLAN 999 as the 802.1X guest VLAN for port GigabitEthernet 1/0/1 <Sysname> system-view [Sysname] dot1x guest-vlan 999 interface gigabitethernet 1/0/1
# Specify VLAN 10 as the 802.1X guest VLAN for ports GigabitEthernet 1/0/2 to GigabitEthernet 1/0/5. <Sysname> system-view [Sysname] dot1x guest-vlan 10 interface gigabitethernet 1/0/2 to gigabitethernet 1/0/5
# Specify VLAN 7 as the 802.1X guest VLAN for all ports. <Sysname> system-view [Sysname] dot1x guest-vlan 7
# Specify VLAN 3 as the 802.1X guest VLAN for port GigabitEthernet 1/0/7. <Sysname> system-view [Sysname] interface gigabitethernet 1/0/7 [Sysname-GigabitEthernet1/0/7] dot1x guest-vlan 3
and that is similar to the Cisco authentication event no-response action authorize vlan vlan-id (look for section "Configuring 802.1X with Guest VLANs" on the "Configuring 802.1X Port-Based Authentication" Chapter of a recent Cisco IOS Software Configuration Guide).
In Cisco, using the IEEE 802.1X for Guest VLANs, seems more near to what you are looking for since it's used "to enable non-802.1X-capable hosts to access networks that use 802.1X authentication."
I'm not an HPE Employee
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-10-2016 07:05 AM
тАО08-10-2016 07:05 AM
Re: Allow tagged vlans for unauthorized devices on port
Mumble...ProVision based Switches, considering the Port Based 802.1X authentication, should provide the command aaa port-access authenticator <port-list> [control <authorized|auto|unauthorized>]: the authorized (authentication mode) control option, also termed "Force Authorized", gives access to a device connected to the port and that device does not have to provide 802.1X credentials or support 802.1X authentication (You can still configure console, Telnet, or SSH security on the port.).
I'm not an HPE Employee