- Community Home
- >
- Networking
- >
- Switching and Routing
- >
- Aruba & ProVision-based
- >
- Re: LLDP-MED and 802.1x
-
- Forums
-
- Advancing Life & Work
- Advantage EX
- Alliances
- Around the Storage Block
- HPE Ezmeral: Uncut
- OEM Solutions
- Servers & Systems: The Right Compute
- Tech Insights
- The Cloud Experience Everywhere
- HPE Blog, Austria, Germany & Switzerland
- Blog HPE, France
- HPE Blog, Italy
- HPE Blog, Japan
- HPE Blog, Middle East
- HPE Blog, Russia
- HPE Blog, Saudi Arabia
- HPE Blog, South Africa
- HPE Blog, UK & Ireland
-
Blogs
- Advancing Life & Work
- Advantage EX
- Alliances
- Around the Storage Block
- HPE Blog, Latin America
- HPE Blog, Middle East
- HPE Blog, Saudi Arabia
- HPE Blog, South Africa
- HPE Blog, UK & Ireland
- HPE Ezmeral: Uncut
- OEM Solutions
- Servers & Systems: The Right Compute
- Tech Insights
- The Cloud Experience Everywhere
-
Information
- Community
- Welcome
- Getting Started
- FAQ
- Ranking Overview
- Rules of Participation
- Tips and Tricks
- Resources
- Announcements
- Email us
- Feedback
- Information Libraries
- Integrated Systems
- Networking
- Servers
- Storage
- Other HPE Sites
- Support Center
- Aruba Airheads Community
- Enterprise.nxt
- HPE Dev Community
- Cloud28+ Community
- Marketplace
-
Forums
-
Blogs
-
Information
-
English
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
02-16-2016 05:25 AM
02-16-2016 05:25 AM
Hello all,
I've configured a 5406zl to perform 802.1x authentication. This works fine: if a device gets authenticated, the port will be assigned to a VLAN defined by the RADIUS and if authentication failes, the VLAN is set to 101 (the "guest VLAN").
Now I've added another VLAN (called VoIP) and enabled LLDP-MED for our IP-Phones. I plugged in one phone and it has full access to the VOIP-VLAN. But the phone as no valid 802.1x configuration.
Here is a part from the config, I used port B1
aaa authentication port-access eap-radius
aaa port-access authenticator B1-B12
aaa port-access authenticator B1-B12 unauth-vid 101
aaa port-access authenticator active
vlan 1
name "DEFAULT_VLAN"
no untagged B1-B12
untagged A1-A18,A21-A24,B13-B24,Trk77
ip address x.x.x.x 255.255.0.0
ip igmp
exit
vlan 9
name "VOIP"
tagged A1-A18,A21-A24,B1-B24,Trk77
no ip address
qos dscp 101110
voice
exit
vlan 101
name "Extern"
untagged B1-B12
tagged Trk77
no ip address
exit
The the authenticator state:
show port-access authenticator
Port Access Authenticator Status
Port-access authenticator activated [No] : Yes
Allow RADIUS-assigned dynamic (GVRP) VLANs [No] : NoAuths/ Unauth Untagged Tagged % In RADIUS Cntrl
Port Guests Clients VLAN VLANs Port COS Limit ACL Dir Port Mode
---- ------- ------- -------- ------ --------- ----- ------ ----- ----------
B1 0/1 0 101 Yes No No No both 100FDx
Any idea why the device has access to the VoIP-VLAN without authentication?
Regards,
FunnyDingo
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
02-16-2016 07:15 AM
02-16-2016 07:15 AM
Solution*facepalm* I found a solution (not sure if it's the "best practice", but works lika a charm)
- Disabled LLDP-MED completely
- Removed all ports tagged from VoIP VLAN
- Create new rule in RADIUS which assignes VLAN-ID 9 for successful authentication of user "phone"
Hewlett Packard Enterprise International
- Communities
- HPE Blogs and Forum
© Copyright 2021 Hewlett Packard Enterprise Development LP