Solved: Re: LLDP-MED and 802.1x

FunnyDingo · ‎02-16-2016

Hello all,

I've configured a 5406zl to perform 802.1x authentication. This works fine: if a device gets authenticated, the port will be assigned to a VLAN defined by the RADIUS and if authentication failes, the VLAN is set to 101 (the "guest VLAN").

Now I've added another VLAN (called VoIP) and enabled LLDP-MED for our IP-Phones. I plugged in one phone and it has full access to the VOIP-VLAN. But the phone as no valid 802.1x configuration.

Here is a part from the config, I used port B1

aaa authentication port-access eap-radius
aaa port-access authenticator B1-B12
aaa port-access authenticator B1-B12 unauth-vid 101
aaa port-access authenticator active
vlan 1
name "DEFAULT_VLAN"
no untagged B1-B12
untagged A1-A18,A21-A24,B13-B24,Trk77
ip address x.x.x.x 255.255.0.0
ip igmp
exit
vlan 9
name "VOIP"
tagged A1-A18,A21-A24,B1-B24,Trk77
no ip address
qos dscp 101110
voice
exit
vlan 101
name "Extern"
untagged B1-B12
tagged Trk77
no ip address
exit

The the authenticator state:

show port-access authenticator
Port Access Authenticator Status
Port-access authenticator activated [No] : Yes
Allow RADIUS-assigned dynamic (GVRP) VLANs [No] : No
Auths/ Unauth Untagged Tagged % In RADIUS Cntrl
Port Guests Clients VLAN VLANs Port COS Limit ACL Dir Port Mode
---- ------- ------- -------- ------ --------- ----- ------ ----- ----------
B1 0/1 0 101 Yes No No No both 100FDx

Any idea why the device has access to the VoIP-VLAN without authentication?

Regards,
FunnyDingo

FunnyDingo · ‎02-16-2016

*facepalm* I found a solution (not sure if it's the "best practice", but works lika a charm)

Disabled LLDP-MED completely
Removed all ports tagged from VoIP VLAN
Create new rule in RADIUS which assignes VLAN-ID 9 for successful authentication of user "phone"

LLDP-MED and 802.1x

LLDP-MED and 802.1x

Re: LLDP-MED and 802.1x

Hewlett Packard Enterprise International