HPE Community read-only access December 15, 2018
This is a maintenance upgrade. You will be able to read articles and posts, but not post or reply.
Hours:
Dec 15, 4:00 am to 10:00 am UTC
Dec 14, 10:00 pm CST to Dec 15, 4:00 am CST
Dec 14, 8:00 pm PST to Dec 15, 2:00 am PST
Community
Comware Based
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

3Com 5500G-EI dot1x with RADIUS Server supplied VLAN VSA

 
SOLVED
Go to solution
rah322
rah322
Occasional Contributor

‎04-24-2017 01:30 PM

‎04-24-2017 01:30 PM

3Com 5500G-EI dot1x with RADIUS Server supplied VLAN VSA

We have a number of 3Com 5500G-EI switches for which we'd like to enable wired 802.1x authentication.  

Most swiches will be running Software Version 3Com OS V3.03.02s168p23.   As for the RADIUS Server, we're using ClearPass Policy Manager 6.5.7.85381.  

We have basic ACCESS-ACCEPT & ACCESS-REJECT working, along with a guest-vlan configuration.  

I'm trying to assign a VLAN from the RADIUS Response, but I'm not having any luck.  I suspect I may need to configure the port as a hybrid port.  Here is the current port config.

interface GigabitEthernet1/0/1
stp edged-port enable
broadcast-suppression pps 3000
port access vlan 15
undo jumboframe enable
dot1x port-method portbased
dot1x max-user 1
dot1x guest-vlan 13
dot1x
dot1x re-authenticate
dot1x mandatory-domain drexel.edu
mirroring-group 1 mirroring-port both
apply qos-profile default

Based on authroization attributes, I'd like to place a user in a different VLAN if they successfully authenticate.  I've made sure to pass the Radius:IETF Attributes Tunnel-Type, Tunnel-Medium-Type, & Tunnel-Private-Group-Id in the RADIUS Response, but it doesn't appear as if the switch is honoring those responses.  

With Radius Debugging enabled in the switch, I see some messages with :

Apr 24 13:41:45 10.245.248.2: %%10RDS/8/DEBUG(d):- 1 -Warning:Received a invalid VLAN ID!

I've verified that the VLAN I'm sending in the RADIUS Response is configured on the switch.

Any clues or hints would be appreciated. 

 TIA,

--Raf

 

0 Kudos
Reply
1 REPLY
rah322
rah322
Occasional Contributor

‎04-24-2017 02:28 PM

‎04-24-2017 02:28 PM

Solution

Re: 3Com 5500G-EI dot1x with RADIUS Server supplied VLAN VSA

DOH!!!

Managed to solve my own issue by chaning the Vlan-assignment-mode to string, from interger.  

I'll continue testing to see what other havoc I can create.  

 

Does anyone know if a self-service URL will redirect users upon launching a browser, or is that only to provide a URL for admin logins?

--Raf

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.