- Community Home
- >
- Networking
- >
- Switching and Routing
- >
- Aruba & ProVision-based
- >
- LLDP-MED and 802.1x
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-16-2016 05:25 AM
02-16-2016 05:25 AM
Hello all,
I've configured a 5406zl to perform 802.1x authentication. This works fine: if a device gets authenticated, the port will be assigned to a VLAN defined by the RADIUS and if authentication failes, the VLAN is set to 101 (the "guest VLAN").
Now I've added another VLAN (called VoIP) and enabled LLDP-MED for our IP-Phones. I plugged in one phone and it has full access to the VOIP-VLAN. But the phone as no valid 802.1x configuration.
Here is a part from the config, I used port B1
aaa authentication port-access eap-radius
aaa port-access authenticator B1-B12
aaa port-access authenticator B1-B12 unauth-vid 101
aaa port-access authenticator active
vlan 1
name "DEFAULT_VLAN"
no untagged B1-B12
untagged A1-A18,A21-A24,B13-B24,Trk77
ip address x.x.x.x 255.255.0.0
ip igmp
exit
vlan 9
name "VOIP"
tagged A1-A18,A21-A24,B1-B24,Trk77
no ip address
qos dscp 101110
voice
exit
vlan 101
name "Extern"
untagged B1-B12
tagged Trk77
no ip address
exit
The the authenticator state:
show port-access authenticator
Port Access Authenticator Status
Port-access authenticator activated [No] : Yes
Allow RADIUS-assigned dynamic (GVRP) VLANs [No] : NoAuths/ Unauth Untagged Tagged % In RADIUS Cntrl
Port Guests Clients VLAN VLANs Port COS Limit ACL Dir Port Mode
---- ------- ------- -------- ------ --------- ----- ------ ----- ----------
B1 0/1 0 101 Yes No No No both 100FDx
Any idea why the device has access to the VoIP-VLAN without authentication?
Regards,
FunnyDingo
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-16-2016 07:15 AM
02-16-2016 07:15 AM
Solution*facepalm* I found a solution (not sure if it's the "best practice", but works lika a charm)
- Disabled LLDP-MED completely
- Removed all ports tagged from VoIP VLAN
- Create new rule in RADIUS which assignes VLAN-ID 9 for successful authentication of user "phone"