ProCurve / ProVision-Based
cancel
Showing results for 
Search instead for 
Did you mean: 

LLDP-MED and 802.1x

SOLVED
Go to solution
FunnyDingo
Occasional Advisor

LLDP-MED and 802.1x

Hello all,

I've configured a 5406zl to perform 802.1x authentication. This works fine: if a device gets authenticated, the port will be assigned to a VLAN defined by the RADIUS and if authentication failes, the VLAN is set to 101 (the "guest VLAN").

Now I've added another VLAN (called VoIP) and enabled LLDP-MED for our IP-Phones. I plugged in one phone and it has full access to the VOIP-VLAN. But the phone as no valid 802.1x configuration.

Here is a part from the config, I used port B1

aaa authentication port-access eap-radius
aaa port-access authenticator B1-B12
aaa port-access authenticator B1-B12 unauth-vid 101
aaa port-access authenticator active
vlan 1
  name "DEFAULT_VLAN"
  no untagged B1-B12
  untagged A1-A18,A21-A24,B13-B24,Trk77
  ip address x.x.x.x 255.255.0.0
  ip igmp
  exit
vlan 9
  name "VOIP"
  tagged A1-A18,A21-A24,B1-B24,Trk77
  no ip address
  qos dscp 101110
  voice
  exit
vlan 101
  name "Extern"
  untagged B1-B12
  tagged Trk77
  no ip address
  exit

The the authenticator state:

show port-access authenticator

Port Access Authenticator Status

Port-access authenticator activated [No] : Yes
Allow RADIUS-assigned dynamic (GVRP) VLANs [No] : No

Auths/ Unauth Untagged Tagged % In RADIUS Cntrl
Port Guests Clients VLAN VLANs Port COS Limit ACL Dir Port Mode
---- ------- ------- -------- ------ --------- ----- ------ ----- ----------
B1 0/1 0 101 Yes No No No both 100FDx

Any idea why the device has access to the VoIP-VLAN without authentication?

Regards,
FunnyDingo

1 REPLY
FunnyDingo
Occasional Advisor
Solution

Re: LLDP-MED and 802.1x

*facepalm* I found a solution (not sure if it's the "best practice", but works lika a charm)

  • Disabled LLDP-MED completely
  • Removed all ports tagged from VoIP VLAN
  • Create new rule in RADIUS which assignes VLAN-ID 9 for successful authentication of user "phone"