HPE Community
Aruba & ProVision-based
1753787 Members
7692 Online
108799 Solutions
New Discussion

LLDP-MED and 802.1x

 
SOLVED
Go to solution
FunnyDingo
Occasional Advisor

‎02-16-2016 05:25 AM

‎02-16-2016 05:25 AM

LLDP-MED and 802.1x

Hello all,

I've configured a 5406zl to perform 802.1x authentication. This works fine: if a device gets authenticated, the port will be assigned to a VLAN defined by the RADIUS and if authentication failes, the VLAN is set to 101 (the "guest VLAN").

Now I've added another VLAN (called VoIP) and enabled LLDP-MED for our IP-Phones. I plugged in one phone and it has full access to the VOIP-VLAN. But the phone as no valid 802.1x configuration.

Here is a part from the config, I used port B1

aaa authentication port-access eap-radius
aaa port-access authenticator B1-B12
aaa port-access authenticator B1-B12 unauth-vid 101
aaa port-access authenticator active
vlan 1
  name "DEFAULT_VLAN"
  no untagged B1-B12
  untagged A1-A18,A21-A24,B13-B24,Trk77
  ip address x.x.x.x 255.255.0.0
  ip igmp
  exit
vlan 9
  name "VOIP"
  tagged A1-A18,A21-A24,B1-B24,Trk77
  no ip address
  qos dscp 101110
  voice
  exit
vlan 101
  name "Extern"
  untagged B1-B12
  tagged Trk77
  no ip address
  exit

The the authenticator state:

show port-access authenticator

Port Access Authenticator Status

Port-access authenticator activated [No] : Yes
Allow RADIUS-assigned dynamic (GVRP) VLANs [No] : No

Auths/ Unauth Untagged Tagged % In RADIUS Cntrl
Port Guests Clients VLAN VLANs Port COS Limit ACL Dir Port Mode
---- ------- ------- -------- ------ --------- ----- ------ ----- ----------
B1 0/1 0 101 Yes No No No both 100FDx

Any idea why the device has access to the VoIP-VLAN without authentication?

Regards,
FunnyDingo

0 Kudos
1 REPLY 1
FunnyDingo
Occasional Advisor

‎02-16-2016 07:15 AM

‎02-16-2016 07:15 AM

Solution

Re: LLDP-MED and 802.1x

*facepalm* I found a solution (not sure if it's the "best practice", but works lika a charm)

  • Disabled LLDP-MED completely
  • Removed all ports tagged from VoIP VLAN
  • Create new rule in RADIUS which assignes VLAN-ID 9 for successful authentication of user "phone"
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.