- Community Home
- >
- Networking
- >
- Switching and Routing
- >
- Comware Based
- >
- 3com 5500-El + 802.1x + Freeradius + dynamic vlan ...
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-20-2011 09:06 AM
10-20-2011 09:06 AM
3com 5500-El + 802.1x + Freeradius + dynamic vlan assigment
Does anyone experienced with the task of setting dynamic vlan assigment on 5500-el + FREERADIUS?
I found in the documentation that for dynamically assign VLAN are used RADIUS attributes:
[64] Tunnel-Type=VLAN (type 13)
[65] Tunnel-Medium-Type=802 (type 6)
[81] Tunnel-Private-Group-ID=VLANID (или VLAN name)
And should be an option "vlan-assignment-mode" in the domain settings on the device.
Freeradius send these attributes:
===========================================
# Executing section post-auth from file /etc/raddb/sites-enabled/inner-tunnel
} # server inner-tunnel
[peap] Got tunneled reply code 2
Tunnel-Private-Group-Id:0 = "30"
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Type:0 = VLAN
MS-MPPE-Encryption-Policy = 0x00000001
MS-MPPE-Encryption-Types = 0x00000006
MS-MPPE-Send-Key = 0xdf530
MS-MPPE-Recv-Key = 0xecd14
EAP-Message = 0x03090004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "sadm"
[peap] Got tunneled reply RADIUS code 2
Tunnel-Private-Group-Id:0 = "30"
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Type:0 = VLAN
MS-MPPE-Encryption-Policy = 0x00000001
MS-MPPE-Encryption-Types = 0x00000006
MS-MPPE-Send-Key = 0xdf530
MS-MPPE-Recv-Key = 0xecd14
EAP-Message = 0x03090004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "sadm"
[peap] Tunneled authentication was successful.
[peap] SUCCESS
===========================================
The device receives these attributes:
===========================================
*0.953995479 Switch5500-LCG2 RDS/8/DEBUG:- 1 -Receive:IP=[10.0.200.27],Code=[11],Length=[108]
*0.953995481 Switch5500-LCG2 RDS/8/DEBUG:- 1 -
[7 Framed-Protocol ] [6 ] [1]
[13 Framed-Compression ] [6 ] [1]
[81 Tunnel_Private_Group_ID ] [4 ] [30]
[65 Tunnel-Medium-Type ] [6 ] [6]
[64 Tunnel-Type ] [6 ] [13]
[79 EAP-Message ] [24] [0103001]
*0.953995484 Switch5500-LCG2 RDS/8/DEBUG:- 1 -
[80 Message-Authenticator ] [18] [70469DB]
[24 State ] [18] [5FC6F82]
*0.953995505 Switch5500-LCG2 RDS/8/DEBUG:- 1 -Recv MSG,[MsgType=EAP auth request Index = 127, ulParam3=2191181076]
*0.953995507 Switch5500-LCG2 RDS/8/DEBUG:- 1 -NAS name is too long, can not send Connect_port attribute
*0.953995509 Switch5500-LCG2 RDS/8/DEBUG:- 1 -Send attribute list:
*0.953995511 Switch5500-LCG2 RDS/8/DEBUG:- 1 -
[1 User-name ] [6 ] [sadm]
[79 EAP-Message ] [8 ] [020300060319]
[80 Message-Authenticator ] [18] [00000000000000000000000000000000]
[4 NAS-IP-Address ] [6 ] [10.0.20.150]
[32 NAS-Identifier ] [14] [00186e435b82]
[5 NAS-Port ] [6 ] [16969729]
*0.953995513 Switch5500-LCG2 RDS/8/DEBUG:- 1 -
[61 NAS-Port-Type ] [6 ] [15]
[6 Service-Type ] [6 ] [2]
[7 Framed-Protocol ] [6 ] [1]
[31 Caller-ID ] [16] [6338306]
[24 State ] [18] [5FC6F82]
*0.953995515 Switch5500-LCG2 RDS/8/DEBUG:- 1 -Send: IP=[10.0.200.27], UserIndex=[127], ID=[33], RetryTimes=[0], Code=[1], Length=[130]
===========================================
But after auth success, port going in to VLAN 1 (default).
Ie 802.1x works, but without the auto-vlan.
Maybe someone can give an example of the working config for 5500-El, or give a good hint?
My 5500-El config:
===========================================
#
sysname Switch5500-LCG2
#
undo password-control aging enable
undo password-control length enable
undo password-control history enable
password-control login-attempt 3 exceed lock-time 120
#
super password level 3 simple xxxxxxxxx
#
local-server nas-ip 127.0.0.1 key 3com
#
domain default enable md.local
#
igmp-snooping enable
#
dot1x
dot1x authentication-method eap
undo dot1x handshake enable
#
radius scheme system
radius scheme radius1
server-type standard
primary authentication 10.0.200.27
primary accounting 10.0.200.27
accounting optional
key authentication xxxxxxxxx
key accounting xxxxxxxxx
timer realtime-accounting 15
timer response-timeout 5
retry 5
user-name-format without-domain
accounting-on enable
#
domain md.local
scheme radius-scheme radius1
vlan-assignment-mode string
accounting optional
domain system
#
local-user admin
password simple xxxxxxxxx
service-type ssh telnet terminal
level 3
local-user localuser
password simple xxxxxxxxx
service-type lan-access
service-type ssh telnet terminal
level 3
local-user manager
password simple xxxxxxxxx
service-type ssh telnet terminal
level 2
local-user monitor
password simple xxxxxxxxx
service-type ssh telnet terminal
level 1
#
acl number 3997
rule 0 permit ip dscp ef
rule 1 permit tcp destination-port eq www
rule 2 permit udp destination-port eq snmp
rule 3 permit udp destination-port eq snmptrap
rule 4 permit ip dscp cs6
rule 5 permit ip dscp cs7
#
acl number 4999
rule 0 permit type 8868 ffff
rule 1 permit source 00e0-bb00-0000 ffff-ff00-0000
rule 2 permit source 0003-6b00-0000 ffff-ff00-0000
rule 3 permit source 00e0-7500-0000 ffff-ff00-0000
rule 4 permit source 00d0-1e00-0000 ffff-ff00-0000
rule 5 permit source 0001-e300-0000 ffff-ff00-0000
rule 6 permit source 000f-e200-0000 ffff-ff00-0000
rule 7 permit source 0006-b900-0000 ffff-ff00-0000
rule 8 deny dest 0000-0000-0000 ffff-ffff-ffff
#
qos-profile default
packet-filter inbound link-group 4999 rule 8
traffic-priority inbound ip-group 3997 rule 0 cos voice
traffic-priority inbound ip-group 3997 rule 4 cos network-management
traffic-priority inbound ip-group 3997 rule 5 cos network-management
traffic-priority inbound link-group 4999 rule 0 dscp ef cos voice
traffic-priority inbound link-group 4999 rule 1 dscp ef cos voice
traffic-priority inbound link-group 4999 rule 2 dscp ef cos voice
traffic-priority inbound link-group 4999 rule 3 dscp ef cos voice
traffic-priority inbound link-group 4999 rule 4 dscp ef cos voice
traffic-priority inbound link-group 4999 rule 5 dscp ef cos voice
traffic-priority inbound link-group 4999 rule 6 dscp ef cos voice
traffic-priority inbound link-group 4999 rule 7 dscp ef cos voice
#
vlan 1
igmp-snooping enable
#
vlan 2
description NONCOMPLIANT_VLAN
#
vlan 3
description COMPLIANT_VLAN
#
vlan 30
description Test
name test
#
vlan 101
#
interface Vlan-interface1
ip address 10.0.210.250 255.0.0.0
#
ntp-service unicast-server 10.0.0.123
#
interface Aux1/0/0
#
interface Ethernet1/0/1
stp edged-port enable
broadcast-suppression pps 3000
undo jumboframe enable
apply qos-profile default
#
[SKIP]
interface Ethernet1/0/47
stp edged-port enable
broadcast-suppression pps 3000
undo jumboframe enable
dot1x port-method portbased
dot1x
apply qos-profile default
#
interface Ethernet1/0/48
stp edged-port enable
broadcast-suppression pps 3000
undo jumboframe enable
apply qos-profile default
#
[SKIP]
#
undo xrn-fabric authentication-mode
#
interface NULL0
#
voice vlan mac-address 0001-e300-0000 mask ffff-ff00-0000 description Siemens AG phone
voice vlan mac-address 0006-b900-0000 mask ffff-ff00-0000 description Philips and NEC AG phone
#
ip route-static 0.0.0.0 0.0.0.0 10.0.0.123 preference 60
#
snmp-agent
#
user-interface aux 0 7
authentication-mode scheme
user-interface vty 0 4
authentication-mode scheme
#
return
===========================================
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-10-2011 03:21 AM
11-10-2011 03:21 AM
Re: 3com 5500-El + 802.1x + Freeradius + dynamic vlan assigment
Hi,
I have an experience with dynamic vlans with 5500Ei + freeradius + mysql. I understand that You only need the swtich config. So there it is (I did this with mac-autentication not dot1x commands):
<5500EI>dis cur # MAC-authentication MAC-authentication timer offline-detect 600 MAC-authentication domain xxx # radius scheme XYZ server-type extended primary authentication x.x.x.x primary accounting x.x.x.y secondary authentication x.x.x.y secondary accounting x.x.x.x accounting optional key authentication yyyyyyyy key accounting yyyyyyyy user-name-format without-domain # domain xxx scheme radius-scheme XYZ # interface Ethernet1/0/1 stp edged-port enable broadcast-suppression pps 3000 MAC-authentication MAC-authentication max-auth-num 1 MAC-authentication guest-vlan 11 description NONE apply qos-profile default
If You need any other configuration files let me know.
V.