HPE Community
Comware Based
1752807 Members
5970 Online
108789 Solutions
New Discussion

Re: Dymanic TAGGED vlan assingment hp 5500

 
FabianoCh
Advisor

‎07-10-2015 07:31 AM

‎07-10-2015 07:31 AM

Dymanic TAGGED vlan assingment hp 5500

Hi guys, I am trying to assing a tagged vlan from micrsoft 2012 nps (radius) to a switch port but I can't find the appropriate attribute on the nps.   To set the vlan id I used the attibute Tunnel-Pvt-Group-ID.  It works fine. But how to tell the hp 5500 that it should be tagged ?  

0 Kudos
21 REPLIES 21
EricAtHP
Esteemed Contributor

‎07-10-2015 07:59 AM

‎07-10-2015 07:59 AM

Re: Dymanic TAGGED vlan assingment hp 5500

On the switch, use these commands to set interface g1/0/3 to support untagged traffic on VLAN 1 and tagged traffic on vlan 220:

 

[HP] interface g1/0/3

[HP-G1/0/3] port link-type trunk

[HP-G1/0/3] port trunk permit vlan 220

 

If you want to change the untagged vlan to vlan 5:

 

[HP-G1/0/3] port trunk pvid vlan 5

[HP-G1/0/3] port trunk permit vlan 5

 

If you only want the port to support tagged traffic in vlan 220, the config would look like this:

 

[HP-G1/0/3] port link-type trunk

[HP-G1/0/3] undo port trunk permit vlan 1

[HP-G1/0/3] port trunk permit vlan 220

 

Cheers,

Eric

0 Kudos
FabianoCh
Advisor

‎07-10-2015 09:03 AM

‎07-10-2015 09:03 AM

Re: Dymanic TAGGED vlan assingment hp 5500

0 Kudos
EricAtHP
Esteemed Contributor

‎07-10-2015 10:21 AM

‎07-10-2015 10:21 AM

Re: Dymanic TAGGED vlan assingment hp 5500

I am not aware of a way to assign a tagged vlan via RADIUS (802.1x or MAC auth, etc.). I have only ever done untagged dynamic vlan assignment. Anyone else have any suggestions.

0 Kudos
EricAtHP
Esteemed Contributor

‎07-12-2015 03:37 PM

‎07-12-2015 03:37 PM

Re: Dymanic TAGGED vlan assingment hp 5500

I did some more research and it is possible on some switches. For example, the HP 5400 and 3800 support RFC 4675 which allows for tagged VLAN assignment as well as assigning a VLAN by name instead of ID, etc. My install of NPS on 2012R2 doesn't have support for RFC4675 built in. That said, it might be possible to edit the dictionary to support it. Here is some info on RFC 4675: https://tools.ietf.org/html/rfc4675. I am not sure how to do it. I don't see support for RFC 4675 on the 5500 but am asking around to be sure.

0 Kudos
FabianoCh
Advisor

‎07-13-2015 06:47 AM

‎07-13-2015 06:47 AM

Re: Dymanic TAGGED vlan assingment hp 5500

Thanks Eric. I have hp 5500 switches and I found in the security manual that "Trunk and hybrid ports support RFC 4675-compliant assignment of only tagged VLANs." . You are right, the Microsoft NPS 2012 does not support RFC 4675 and this is my case.  I already tried to insert a Vendor Specific Attribute in the radius policy.   I used vendor-id = 2011 (Huawey),

attribute id=56  ( attribute number in the RFC 4675) and value 0x3100000A  (31->tagged vlan,  "A" number of my vlan (10)).  But it did not work.  I have already tried vendor-id = 11 (HP). The nps sends the parameter correctly but it makes no effect.   

0 Kudos
EricAtHP
Esteemed Contributor

‎07-13-2015 07:37 AM

‎07-13-2015 07:37 AM

Re: Dymanic TAGGED vlan assingment hp 5500

Good to hear that the 5500 supports 4675. I wouldn't have expected the VSA attributes to work. 4675 defines a very specific format for the data fields in attributes 56, 57, 58, and 59. The spec defines it at https://tools.ietf.org/html/rfc4675. I have searched for instructions to modify the dnary.xml file without any luck. I think the next step is to take this up with Microsoft.

 

If anyone has any suggestions, please let us all know.

0 Kudos
RGMNETADMIN
Visitor

‎09-14-2015 10:56 AM

‎09-14-2015 10:56 AM

Re: Dymanic TAGGED vlan assingment hp 5500

Hi ,

 

I think you need to enable 802.1x on the switch.

HP>dis dot1x
 Equipment 802.1X protocol is enabled
 EAP authentication is enabled
 EAD quick deploy is disabled

 Configuration: Transmit Period   30 s,  Handshake Period       15 s
                Quiet Period      30 s,  Quiet Period Timer is disabled
                Supp Timeout      15 s,  Server Timeout        100 s
                Reauth Period   3600 s
                The maximal retransmitting times    2
 EAD quick deploy configuration:
                EAD timeout:   30 m

 The maximum 802.1X user resource number is 1024 per slot
 Total current used 802.1X resource number is 0

 


HP> dot1x
 dot1x timer quiet-period 30
 dot1x timer supp-timeout 15
 dot1x authentication-method eap

 

int gig x/x/x

 port access vlan XXX(guest vlan)
 loopback-detection enable
 loopback-detection action shutdown
 broadcast-suppression 10
 stp edged-port enable
 dot1x max-user 2
 dot1x guest-vlan XXX(guest vlan)
 dot1x auth-fail vlan XXX(guest vlan)
 undo dot1x handshake
 dot1x mandatory-domain xxxxxx.com (FQDN)
 dot1x port-method portbased
 dot1x

 

 

0 Kudos
Jannie Hanekom
Advisor

‎12-09-2015 12:06 PM - edited ‎12-09-2015 12:10 PM

‎12-09-2015 12:06 PM - edited ‎12-09-2015 12:10 PM

Re: Dymanic TAGGED vlan assingment hp 5500

Thanks to the guidance in the discussion above, I got this to work using Windows Server 2012 R2 NPS.  I have a very specific use case where I have some hospitality-type APs (HP 527's) with passthrough ports; I needed the switch to automatically tag through the VLANs I might need on the switch ports on the 527.

The attributes in RFC 4675 are RADIUS-Standard attributes; no amount of tinkering with vendor-specific attributes (which is actually atribute ID 26) will cause them to be passed to the switch correctly - unless you're using the pre-standard ProCurve attributes.  It would therefore seem that the only way to expose the option in the GUI is to hack the dnary.xml file.

This modification described here is of course totally unsupported by Microsoft, and implementing it may cause a rip in the space-time continuum. Or not.

If you do go ahead with hacking away at dnary.xml, MAKE A BACKUP BEFORE YOU MAKE ANY CHANGES! 

I added the bit below to the dnary.xml file on my 2012 R2 server.  I'm not sure whether it makes a difference where you place the text, as long as it's at the same level as the other Attribute entries.  It made sense to me to put it between attributes 56 & 60.  (Yes, I had to reboot for it to take effect; not sure how else to trigger a reload of the dnary.xml file.)

 

 <Attribute>
  <ID>56</ID>
  <Name>Egress-VLANID</Name>
  <Syntax>OctetString</Syntax>
  <MultiValued>1</MultiValued>
  <Is-Security-Sensitive>0</Is-Security-Sensitive>
  <IsAllowedInProfile>1</IsAllowedInProfile>
  <IsAllowedInCondition>0</IsAllowedInCondition>
  <IsAllowedInProxyProfile>1</IsAllowedInProxyProfile>
  <IsAllowedInProxyCondition>0</IsAllowedInProxyCondition>
  <LDAPName>msRADIUSEgress-VLANID</LDAPName>
  <IsTunnelAttribute>0</IsTunnelAttribute>
 </Attribute>

 

Once in place, I was able to add the Egress-VLANID attribute as a setting under Standard RADIUS attributes, and add multiple tagged VLANs inside it.  For my specific use case I used it in the Connection Request Policy, but the settings can be set in a Network Policy as well.  The 2530 ProCurve switch I used this on happily accepted and applied the values, provided *all* the VLANs are defined on the switch.  I will be testing more on Comware soon; the HP 830 Unified-WLAN I tested on did not seem to support RFC 4675, but the manuals for the 5120 (Comware 5) and 5130 (Comware 7) do explicitly mention RFC 4675 compliance so I'm hopeful they'll work.

In the screenshots below, I set the PVID and Untagged VLAN to 500, and tag VLANs 501, 502, 504, 506, 508, 510, 511 and 512.

RFC 4675 Test 1.PNG

RFC 4675 Test 2.PNG

RFC 4675 Test 3.PNG

0 Kudos
Jannie Hanekom
Advisor

‎12-17-2015 04:38 AM

‎12-17-2015 04:38 AM

Re: Dymanic TAGGED vlan assingment hp 5500

Just some feedback on this following raising a support incident: this particular feature does *not* work on Comware 7 switches yet (as of December 2015.)  I must have looked in the wrong document when I thought I saw mention of the 5130 supporting it.  The 5120 and 5500 (Comware 5) switches support it, as documented in the 5120 Security Configuration Guide.

It "almost" works on the 5130; debug output indicates it already understands the EGRESS-VLANID attribute, but it cannot yet tag multiple VLANs on a port.  It only actions the last VLAN-related attribute in the RADIUS response (whether that is the last in a list of EGRESS-VLANIDs or a Tunnel-Private-Group-ID attribute.)

It's a bit disappointing that this arguably premium switch lags behind feature-wise, but I'd admit that it's a niche capability.  I'll be submitting a feature request, but given that it already correctly parses the EGRESS-VLANID attribute, I suspect the feature is already in the works.

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.