- Community Home
- >
- Networking
- >
- Switching and Routing
- >
- Comware Based
- >
- Re: Dymanic TAGGED vlan assingment hp 5500
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-10-2015 07:31 AM
07-10-2015 07:31 AM
Dymanic TAGGED vlan assingment hp 5500
Hi guys, I am trying to assing a tagged vlan from micrsoft 2012 nps (radius) to a switch port but I can't find the appropriate attribute on the nps. To set the vlan id I used the attibute Tunnel-Pvt-Group-ID. It works fine. But how to tell the hp 5500 that it should be tagged ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-10-2015 07:59 AM
07-10-2015 07:59 AM
Re: Dymanic TAGGED vlan assingment hp 5500
On the switch, use these commands to set interface g1/0/3 to support untagged traffic on VLAN 1 and tagged traffic on vlan 220:
[HP] interface g1/0/3
[HP-G1/0/3] port link-type trunk
[HP-G1/0/3] port trunk permit vlan 220
If you want to change the untagged vlan to vlan 5:
[HP-G1/0/3] port trunk pvid vlan 5
[HP-G1/0/3] port trunk permit vlan 5
If you only want the port to support tagged traffic in vlan 220, the config would look like this:
[HP-G1/0/3] port link-type trunk
[HP-G1/0/3] undo port trunk permit vlan 1
[HP-G1/0/3] port trunk permit vlan 220
Cheers,
Eric
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-10-2015 09:03 AM
07-10-2015 09:03 AM
Re: Dymanic TAGGED vlan assingment hp 5500
EricAtHP, I am trying to get the vlan id from the NPS (microsoft radius server). I am using hybrid port. It works fine for
untagged vlan. But now I need to assing a tagged vlan on the hybrid port. I should be assingned by the radius server.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-10-2015 10:21 AM
07-10-2015 10:21 AM
Re: Dymanic TAGGED vlan assingment hp 5500
I am not aware of a way to assign a tagged vlan via RADIUS (802.1x or MAC auth, etc.). I have only ever done untagged dynamic vlan assignment. Anyone else have any suggestions.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-12-2015 03:37 PM
07-12-2015 03:37 PM
Re: Dymanic TAGGED vlan assingment hp 5500
I did some more research and it is possible on some switches. For example, the HP 5400 and 3800 support RFC 4675 which allows for tagged VLAN assignment as well as assigning a VLAN by name instead of ID, etc. My install of NPS on 2012R2 doesn't have support for RFC4675 built in. That said, it might be possible to edit the dictionary to support it. Here is some info on RFC 4675: https://tools.ietf.org/html/rfc4675. I am not sure how to do it. I don't see support for RFC 4675 on the 5500 but am asking around to be sure.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-13-2015 06:47 AM
07-13-2015 06:47 AM
Re: Dymanic TAGGED vlan assingment hp 5500
Thanks Eric. I have hp 5500 switches and I found in the security manual that "Trunk and hybrid ports support RFC 4675-compliant assignment of only tagged VLANs." . You are right, the Microsoft NPS 2012 does not support RFC 4675 and this is my case. I already tried to insert a Vendor Specific Attribute in the radius policy. I used vendor-id = 2011 (Huawey),
attribute id=56 ( attribute number in the RFC 4675) and value 0x3100000A (31->tagged vlan, "A" number of my vlan (10)). But it did not work. I have already tried vendor-id = 11 (HP). The nps sends the parameter correctly but it makes no effect.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-13-2015 07:37 AM
07-13-2015 07:37 AM
Re: Dymanic TAGGED vlan assingment hp 5500
Good to hear that the 5500 supports 4675. I wouldn't have expected the VSA attributes to work. 4675 defines a very specific format for the data fields in attributes 56, 57, 58, and 59. The spec defines it at https://tools.ietf.org/html/rfc4675. I have searched for instructions to modify the dnary.xml file without any luck. I think the next step is to take this up with Microsoft.
If anyone has any suggestions, please let us all know.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-14-2015 10:56 AM
09-14-2015 10:56 AM
Re: Dymanic TAGGED vlan assingment hp 5500
Hi ,
I think you need to enable 802.1x on the switch.
HP>dis dot1x
Equipment 802.1X protocol is enabled
EAP authentication is enabled
EAD quick deploy is disabled
Configuration: Transmit Period 30 s, Handshake Period 15 s
Quiet Period 30 s, Quiet Period Timer is disabled
Supp Timeout 15 s, Server Timeout 100 s
Reauth Period 3600 s
The maximal retransmitting times 2
EAD quick deploy configuration:
EAD timeout: 30 m
The maximum 802.1X user resource number is 1024 per slot
Total current used 802.1X resource number is 0
HP> dot1x
dot1x timer quiet-period 30
dot1x timer supp-timeout 15
dot1x authentication-method eap
int gig x/x/x
port access vlan XXX(guest vlan)
loopback-detection enable
loopback-detection action shutdown
broadcast-suppression 10
stp edged-port enable
dot1x max-user 2
dot1x guest-vlan XXX(guest vlan)
dot1x auth-fail vlan XXX(guest vlan)
undo dot1x handshake
dot1x mandatory-domain xxxxxx.com (FQDN)
dot1x port-method portbased
dot1x
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-09-2015 12:06 PM - edited 12-09-2015 12:10 PM
12-09-2015 12:06 PM - edited 12-09-2015 12:10 PM
Re: Dymanic TAGGED vlan assingment hp 5500
Thanks to the guidance in the discussion above, I got this to work using Windows Server 2012 R2 NPS. I have a very specific use case where I have some hospitality-type APs (HP 527's) with passthrough ports; I needed the switch to automatically tag through the VLANs I might need on the switch ports on the 527.
The attributes in RFC 4675 are RADIUS-Standard attributes; no amount of tinkering with vendor-specific attributes (which is actually atribute ID 26) will cause them to be passed to the switch correctly - unless you're using the pre-standard ProCurve attributes. It would therefore seem that the only way to expose the option in the GUI is to hack the dnary.xml file.
This modification described here is of course totally unsupported by Microsoft, and implementing it may cause a rip in the space-time continuum. Or not.
If you do go ahead with hacking away at dnary.xml, MAKE A BACKUP BEFORE YOU MAKE ANY CHANGES!
I added the bit below to the dnary.xml file on my 2012 R2 server. I'm not sure whether it makes a difference where you place the text, as long as it's at the same level as the other Attribute entries. It made sense to me to put it between attributes 56 & 60. (Yes, I had to reboot for it to take effect; not sure how else to trigger a reload of the dnary.xml file.)
<Attribute>
<ID>56</ID>
<Name>Egress-VLANID</Name>
<Syntax>OctetString</Syntax>
<MultiValued>1</MultiValued>
<Is-Security-Sensitive>0</Is-Security-Sensitive>
<IsAllowedInProfile>1</IsAllowedInProfile>
<IsAllowedInCondition>0</IsAllowedInCondition>
<IsAllowedInProxyProfile>1</IsAllowedInProxyProfile>
<IsAllowedInProxyCondition>0</IsAllowedInProxyCondition>
<LDAPName>msRADIUSEgress-VLANID</LDAPName>
<IsTunnelAttribute>0</IsTunnelAttribute>
</Attribute>
Once in place, I was able to add the Egress-VLANID attribute as a setting under Standard RADIUS attributes, and add multiple tagged VLANs inside it. For my specific use case I used it in the Connection Request Policy, but the settings can be set in a Network Policy as well. The 2530 ProCurve switch I used this on happily accepted and applied the values, provided *all* the VLANs are defined on the switch. I will be testing more on Comware soon; the HP 830 Unified-WLAN I tested on did not seem to support RFC 4675, but the manuals for the 5120 (Comware 5) and 5130 (Comware 7) do explicitly mention RFC 4675 compliance so I'm hopeful they'll work.
In the screenshots below, I set the PVID and Untagged VLAN to 500, and tag VLANs 501, 502, 504, 506, 508, 510, 511 and 512.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-17-2015 04:38 AM
12-17-2015 04:38 AM
Re: Dymanic TAGGED vlan assingment hp 5500
Just some feedback on this following raising a support incident: this particular feature does *not* work on Comware 7 switches yet (as of December 2015.) I must have looked in the wrong document when I thought I saw mention of the 5130 supporting it. The 5120 and 5500 (Comware 5) switches support it, as documented in the 5120 Security Configuration Guide.
It "almost" works on the 5130; debug output indicates it already understands the EGRESS-VLANID attribute, but it cannot yet tag multiple VLANs on a port. It only actions the last VLAN-related attribute in the RADIUS response (whether that is the last in a list of EGRESS-VLANIDs or a Tunnel-Private-Group-ID attribute.)
It's a bit disappointing that this arguably premium switch lags behind feature-wise, but I'd admit that it's a niche capability. I'll be submitting a feature request, but given that it already correctly parses the EGRESS-VLANID attribute, I suspect the feature is already in the works.