HPE Community
Aruba & ProVision-based
1753272 Members
5105 Online
108792 Solutions
New Discussion юеВ

information about 802.1x and max-client limitation

 
WillyEB70
Advisor

тАО03-01-2019 09:23 AM - last edited on тАО03-03-2019 09:52 PM by

тАО03-01-2019 09:23 AM - last edited on тАО03-03-2019 09:52 PM by

information about 802.1x and max-client limitation

Hi all,

can anybody tell me more information about 802.1x and max-client limitation ?

Let me explain my issue. I've got one HPE Procurve 2530G-24G and I've configured

802.1x to activate port numer 10 after the supplicant was identified by radius server

(username and password). After that switch assign vlan 25 to the port number 10. 

Always works fine but for some reasons I've like to add a new switch between supplicant

and port 10 of 2530-24G to manage more clients. This new switch is 1810G without 802.1x features,

it has got only vlan and other base level 2 functions. So my goal is to manage authentication

of more than client on the same 2530G-24G port numerb 10. 

Does anybody help me ?

Many thanks 

Best Regards

Enrico

 

P.S: Mod: Post split and moved as a new Topic from following link

0 Kudos
3 REPLIES 3
WillyEB70
Advisor

тАО03-04-2019 06:14 AM

тАО03-04-2019 06:14 AM

Re: information about 802.1x and max-client limitation

Hi all , after read that guide http://h22208.www2.hpe.com/eginfolib/networking/docs/switches/WB/15-18/5998-8152_wb_2920_asg/content/ch13s05.html I've made some tests. This is a part of config from Procurve 802.1x-aware:

.

...
vlan 1
   name "DEFAULT_VLAN"
   untagged 1-24
   ip address 10.0.0.1 255.255.0.0
   exit
vlan 25
   name "PF-WIRED"
   tagged 1-2,12-24
   exit
...
aaa authentication port-access eap-radius
aaa accounting system start-stop radius
radius-server host 10.0.0.34 key XXXXX
no snmp-server enable traps link-change 1-24
aaa port-access authenticator 3-4
aaa port-access authenticator 3 auth-vid 25
aaa port-access authenticator 3 client-limit 8
aaa port-access authenticator 4 auth-vid 25
aaa port-access authenticator 4 client-limit 8
aaa port-access authenticator active
... 
omissis
...

as you can see my setup it's seem to right and if I connect my notebook directly to port 3 it otbains

network access . My notebook dosen't obtain network access if I connect hub, switch unmanaged or

not 802.1x-aware bteween port 3 and my computer,

Any ideas ?

Thanks 

Best Regards

Enrico

 

 

0 Kudos
thrtnastrx2
Occasional Advisor

тАО03-12-2019 09:24 AM - edited тАО03-12-2019 09:43 AM

тАО03-12-2019 09:24 AM - edited тАО03-12-2019 09:43 AM

Re: information about 802.1x and max-client limitation

This should work with a hub or unmanaged switch connected to port 3, and your laptop connected to any port on the downstream device.  It's working in my lab with the exact same scenerio.  

Try running:

debug destination session (or buffer)

debug events

debug security port-access 

then connect your laptop to port 3 and see how a sucsessful auth looks in the debug, then connect a hub/switch, watch the debug, then finally connect your laptop to the hub/switch and wath the debug messages.  What is different?

0 Kudos
WillyEB70
Advisor

тАО03-12-2019 11:59 PM - last edited on тАО03-13-2019 09:35 PM by

тАО03-12-2019 11:59 PM - last edited on тАО03-13-2019 09:35 PM by

Re: information about 802.1x and max-client limitation

I've found the problem. This config works with unmanaged hub or switch:

/....//
//max-vlans 32//
//time timezone 60//
//time daylight-time-rule Western-Europe//
//interface 1//
//   no lacp//
//exit//
//....//
//interface 20//
//   no lacp//
//exit//
//ip default-gateway a.b.c.d//
//sntp server a.b.c.d//
//timesync sntp//
//sntp unicast//
//logging facility syslog//
//logging a.b.c.d//
//snmp-server community "public" Unrestricted//
//snmp-server community "private" Unrestricted//
//vlan 1//
//   name "DEFAULT_VLAN"//
//   untagged 1-10,12-24//
//   ip address y.x.w.k 255.255.0.0//
//   no untagged 11//
//   exit//
//vlan 25//
//   name "PF-WIRED"//
//   untagged 11//
//   tagged 1-2,12-24//
//   exit//
//....//
//fault-finder broadcast-storm sensitivity low//
//aaa authentication port-access eap-radius//
//aaa accounting system start-stop radius//
//radius-server host a.b.c.f key XXXXXXX//
//no snmp-server enable traps link-change 1-24//
//aaa port-access authenticator 3-10//
//aaa port-access authenticator 3 client-limit 8//
//aaa port-access authenticator 4 client-limit 8//
//aaa port-access authenticator 5 client-limit 8//
//aaa port-access authenticator 6 client-limit 8//
//aaa port-access authenticator 7 client-limit 8//
//aaa port-access authenticator 8 client-limit 8//
//aaa port-access authenticator 9 client-limit 8//
//aaa port-access authenticator 10 client-limit 8//
//aaa port-access authenticator active//
//spanning-tree//
//password manager/

vlan is assigned from authentication server.
Thanks for your reply.
Best Regards
Enrico

--
_______________________________________________________________________

Enrico Becchetti Servizio di Calcolo e Reti

Istituto Nazionale di Fisica Nucleare - Sezione di Perugia
Via Pascoli,c/o Dipartimento di Fisica 06123 Perugia (ITALY)

______________________________________________________________________

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.