HPE Community
Comware Based
1753500 Members
4234 Online
108794 Solutions
New Discussion

3com 5500-El + 802.1x + Freeradius + dynamic vlan assigment

 
OlegWoznesensky
New Member

‎10-20-2011 09:06 AM

‎10-20-2011 09:06 AM

3com 5500-El + 802.1x + Freeradius + dynamic vlan assigment


Does anyone experienced with the task of setting dynamic vlan assigment on 5500-el + FREERADIUS?

I found in the documentation that for dynamically assign VLAN are used RADIUS attributes:

    [64] Tunnel-Type=VLAN (type 13)
    [65] Tunnel-Medium-Type=802 (type 6)
    [81] Tunnel-Private-Group-ID=VLANID (или VLAN name)

And should be an option "vlan-assignment-mode" in the domain settings on the device.


Freeradius send these attributes:
===========================================
# Executing section post-auth from file /etc/raddb/sites-enabled/inner-tunnel
} # server inner-tunnel
[peap] Got tunneled reply code 2
        Tunnel-Private-Group-Id:0 = "30"
        Tunnel-Medium-Type:0 = IEEE-802
        Tunnel-Type:0 = VLAN
        MS-MPPE-Encryption-Policy = 0x00000001
        MS-MPPE-Encryption-Types = 0x00000006
        MS-MPPE-Send-Key = 0xdf530
        MS-MPPE-Recv-Key = 0xecd14
        EAP-Message = 0x03090004
        Message-Authenticator = 0x00000000000000000000000000000000
        User-Name = "sadm"
[peap] Got tunneled reply RADIUS code 2
        Tunnel-Private-Group-Id:0 = "30"
        Tunnel-Medium-Type:0 = IEEE-802
        Tunnel-Type:0 = VLAN
        MS-MPPE-Encryption-Policy = 0x00000001
        MS-MPPE-Encryption-Types = 0x00000006
        MS-MPPE-Send-Key = 0xdf530
        MS-MPPE-Recv-Key = 0xecd14
        EAP-Message = 0x03090004
        Message-Authenticator = 0x00000000000000000000000000000000
        User-Name = "sadm"
[peap] Tunneled authentication was successful.
[peap] SUCCESS
===========================================

The device receives these attributes:
===========================================
*0.953995479 Switch5500-LCG2 RDS/8/DEBUG:- 1 -Receive:IP=[10.0.200.27],Code=[11],Length=[108]
*0.953995481 Switch5500-LCG2 RDS/8/DEBUG:- 1 -
[7  Framed-Protocol             ] [6 ] [1]
[13 Framed-Compression          ] [6 ] [1]
[81 Tunnel_Private_Group_ID     ] [4 ] [30]
[65 Tunnel-Medium-Type          ] [6 ] [6]
[64 Tunnel-Type                 ] [6 ] [13]
[79 EAP-Message                 ] [24] [0103001]
*0.953995484 Switch5500-LCG2 RDS/8/DEBUG:- 1 -
[80 Message-Authenticator       ] [18] [70469DB]
[24 State                       ] [18] [5FC6F82]
*0.953995505 Switch5500-LCG2 RDS/8/DEBUG:- 1 -Recv MSG,[MsgType=EAP auth request Index = 127, ulParam3=2191181076]
*0.953995507 Switch5500-LCG2 RDS/8/DEBUG:- 1 -NAS name is too long, can not send Connect_port attribute
*0.953995509 Switch5500-LCG2 RDS/8/DEBUG:- 1 -Send attribute list:
*0.953995511 Switch5500-LCG2 RDS/8/DEBUG:- 1 -
[1  User-name                   ] [6 ] [sadm]
[79 EAP-Message                 ] [8 ] [020300060319]
[80 Message-Authenticator       ] [18] [00000000000000000000000000000000]
[4  NAS-IP-Address              ] [6 ] [10.0.20.150]
[32 NAS-Identifier              ] [14] [00186e435b82]
[5  NAS-Port                    ] [6 ] [16969729]
*0.953995513 Switch5500-LCG2 RDS/8/DEBUG:- 1 -
[61 NAS-Port-Type               ] [6 ] [15]
[6  Service-Type                ] [6 ] [2]
[7  Framed-Protocol             ] [6 ] [1]
[31 Caller-ID                   ] [16] [6338306]
[24 State                       ] [18] [5FC6F82]
*0.953995515 Switch5500-LCG2 RDS/8/DEBUG:- 1 -Send: IP=[10.0.200.27], UserIndex=[127], ID=[33], RetryTimes=[0], Code=[1], Length=[130]
===========================================

But after auth success, port going in to VLAN 1 (default).

Ie 802.1x works, but without the auto-vlan.

Maybe someone can give an example of the working config for 5500-El, or give a good hint?

My 5500-El config:

===========================================
#
sysname Switch5500-LCG2
#
undo password-control aging enable
undo password-control length enable
undo password-control history enable
password-control login-attempt 3 exceed lock-time 120
#
super password level 3 simple xxxxxxxxx
#
local-server nas-ip 127.0.0.1 key 3com
#
domain default enable md.local
#
igmp-snooping enable
#
dot1x
dot1x authentication-method eap
undo dot1x handshake enable
#
radius scheme system
radius scheme radius1
server-type standard
primary authentication 10.0.200.27
primary accounting 10.0.200.27
accounting optional
key authentication xxxxxxxxx
key accounting xxxxxxxxx
timer realtime-accounting 15
timer response-timeout 5
retry 5
user-name-format without-domain
accounting-on enable
#
domain md.local
scheme radius-scheme radius1
vlan-assignment-mode string
accounting optional
domain system
#
local-user admin
password simple xxxxxxxxx
service-type ssh telnet terminal
level 3
local-user localuser
password simple xxxxxxxxx
service-type lan-access
service-type ssh telnet terminal
level 3
local-user manager
password simple xxxxxxxxx
service-type ssh telnet terminal
level 2
local-user monitor
password simple xxxxxxxxx
service-type ssh telnet terminal
level 1
#
acl number 3997
rule 0 permit ip dscp ef
rule 1 permit tcp destination-port eq www
rule 2 permit udp destination-port eq snmp
rule 3 permit udp destination-port eq snmptrap
rule 4 permit ip dscp cs6
rule 5 permit ip dscp cs7
#
acl number 4999
rule 0 permit type 8868 ffff
rule 1 permit source 00e0-bb00-0000 ffff-ff00-0000
rule 2 permit source 0003-6b00-0000 ffff-ff00-0000
rule 3 permit source 00e0-7500-0000 ffff-ff00-0000
rule 4 permit source 00d0-1e00-0000 ffff-ff00-0000
rule 5 permit source 0001-e300-0000 ffff-ff00-0000
rule 6 permit source 000f-e200-0000 ffff-ff00-0000
rule 7 permit source 0006-b900-0000 ffff-ff00-0000
rule 8 deny dest 0000-0000-0000 ffff-ffff-ffff
#
qos-profile default
packet-filter inbound link-group 4999 rule 8
traffic-priority inbound ip-group 3997 rule 0 cos voice
traffic-priority inbound ip-group 3997 rule 4 cos network-management
traffic-priority inbound ip-group 3997 rule 5 cos network-management
traffic-priority inbound link-group 4999 rule 0 dscp ef cos voice
traffic-priority inbound link-group 4999 rule 1 dscp ef cos voice
traffic-priority inbound link-group 4999 rule 2 dscp ef cos voice
traffic-priority inbound link-group 4999 rule 3 dscp ef cos voice
traffic-priority inbound link-group 4999 rule 4 dscp ef cos voice
traffic-priority inbound link-group 4999 rule 5 dscp ef cos voice
traffic-priority inbound link-group 4999 rule 6 dscp ef cos voice
traffic-priority inbound link-group 4999 rule 7 dscp ef cos voice
#
vlan 1
igmp-snooping enable
#
vlan 2
description NONCOMPLIANT_VLAN
#
vlan 3
description COMPLIANT_VLAN
#
vlan 30
description Test
name test
#
vlan 101
#
interface Vlan-interface1
ip address 10.0.210.250 255.0.0.0
#
ntp-service unicast-server 10.0.0.123
#
interface Aux1/0/0
#
interface Ethernet1/0/1
stp edged-port enable
broadcast-suppression pps 3000
undo jumboframe enable
apply qos-profile default
#


[SKIP]


interface Ethernet1/0/47
stp edged-port enable
broadcast-suppression pps 3000
undo jumboframe enable
dot1x port-method portbased
dot1x
apply qos-profile default
#
interface Ethernet1/0/48
stp edged-port enable
broadcast-suppression pps 3000
undo jumboframe enable
apply qos-profile default
#

[SKIP]

#
undo xrn-fabric authentication-mode
#
interface NULL0
#
voice vlan mac-address 0001-e300-0000 mask ffff-ff00-0000 description Siemens AG phone
voice vlan mac-address 0006-b900-0000 mask ffff-ff00-0000 description Philips and NEC AG phone
#
ip route-static 0.0.0.0 0.0.0.0 10.0.0.123 preference 60
#
snmp-agent
#
user-interface aux 0 7
authentication-mode scheme
user-interface vty 0 4
authentication-mode scheme
#
return
===========================================

0 Kudos
1 REPLY 1
vangass
Frequent Advisor

‎11-10-2011 03:21 AM

‎11-10-2011 03:21 AM

Re: 3com 5500-El + 802.1x + Freeradius + dynamic vlan assigment

Hi,

I have an  experience with dynamic vlans with 5500Ei + freeradius + mysql. I understand that You only need the swtich config. So there it is (I did this with mac-autentication not dot1x commands):

<5500EI>dis cur
#
 MAC-authentication
 MAC-authentication timer offline-detect 600
 MAC-authentication domain xxx
#
radius scheme XYZ
 server-type extended
 primary authentication x.x.x.x
 primary accounting x.x.x.y
 secondary authentication x.x.x.y
 secondary accounting x.x.x.x
 accounting optional
 key authentication yyyyyyyy              
 key accounting yyyyyyyy
 user-name-format without-domain
#
domain xxx
 scheme radius-scheme XYZ
#
interface Ethernet1/0/1
 stp edged-port enable
 broadcast-suppression pps 3000
 MAC-authentication
 MAC-authentication max-auth-num 1
 MAC-authentication guest-vlan 11         
 description NONE
 apply qos-profile default

 If You need any other configuration files let me know.

 

V.

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.