ProCurve / ProVision-Based
cancel
Showing results for 
Search instead for 
Did you mean: 

802.1x Multiple-auth with different Vlans

ghel
Occasional Contributor

802.1x Multiple-auth with different Vlans

Hi,

we have a Procurve 5412zl (J8698A) switch. I managed to implement 802.1x authentication successfully. I am using Mac-Based authentication for Printers, Phones, Dect stations and WiFi Ap's. For the users User-Based authentication.

Now we have 10-15 unmanaged dumb desktop switches in some offices. Unfortunately not all users connected to those dumb switches are from the same department, which means each needs to be authenticated to get the correct Vlan, which doen't work with these dumb switches, so I start playing around with a managed Vlan and 802.1x capable switch as a replacement for the unmanaged dumb switch. The new switch is connected to the Procurve 5412zl (J8698A) over a port wich can do both Mac-Based and User-Based authentication, the new switch is authenticated over the Mac address. I enabled the 802.1x feature on the new switch, unfortunately I couldn't authenticate at all, the request to freeradius is accepted and the Access accept is sent to the client.

On the Procurve 5412zl (J8698A) no Vlan is tagged on this specific port, only the Vlan of the switch is untagged. When I connect to HP port directly it works as expected for all devices, but not with the other switch in between.

I don't know what I am missing here!

We have a ring typology and the HP switch is not the core switch.

Is the Procurve 5412zl (J8698A) capable to make this scenario possible?

How can I authenticate one user, multiple users with different Vlans?

Best

1 REPLY
ghel
Occasional Contributor

Re: 802.1x Multiple-auth with different Vlans

Hi,

no idea here?  once I connect the Unifi switch it gets authenticated with Mac-Address and Vlan 2 is untagged on the port of the HP switch :

 

switch-north1(config)# show vlans ports a18

 Status and Counters - VLAN Information - for ports A18

  VLAN ID Name                             | Status     Voice Jumbo
  ------- -------------------------------- + ---------- ----- -----
  2       NetworkComponents                | Port-based No    No   

 

when I try to connect with 802.1x with my client I see the following message in the logging of the Unifi switch:

UBNT daemon.notice switch: TRAPMGR: Link Up: 0/4
UBNT daemon.notice switch: DOT1X: Dot1x Authenticated Successfully

The logging of the HP switch doen't show any thing

I tried on the Procurve 5412zl (J8698A) the following:

  • tagging the vlan (vlan 10) on port A18 and then:
    aaa port-access authenticator A18
    aaa port-access authenticator A18 client-limit 2
    aaa port-access mac-based A18
    aaa port-access mac-based A18 addr-limit 2
  • I tried it the other way around:
    aaa port-access authenticator A18
    aaa port-access authenticator A18 client-limit 2
    aaa port-access mac-based A18
    aaa port-access mac-based A18 addr-limit 2
    aaa authentication allow-vlan tagged
    vlan 10 tagged A18
  • I tried it with:
    aaa port-access A18 mixed

 

Unfortunately nothing worked and I couldn't authenticate the user. Without the intermediate switch every thing works as expected and I have to use at least 5 intermediate switches. I am also able to use the HP 1820-8G switch instead of the Unifi if it would help.

I would be happy for any hint here.

Thanks