HPE Community
Aruba & ProVision-based
1752713 Members
5631 Online
108789 Solutions
New Discussion

Re: radius port access mixed mode not working as expected

 
vwalbroehl
Visitor

‎10-09-2017 01:47 AM

‎10-09-2017 01:47 AM

radius port access mixed mode not working as expected

Hi everyone,

I have a 2920 and a third party unconfigured 8 port PoE Switch. I want to have a mixed environment on one specific port for authorized Windows Computers in vlan 112 and the rest will belong to the telephone vlan 101, regardless if its a telephone or not.

the config is:

aaa port-access authenticator 1/25 client-limit 7
aaa port-access authenticator 1/25 unauth-vid 101
aaa port-access authenticator 1/25 auth-vid 112
aaa port-access authenticator 1/25 reauth-period 0
aaa port-access authenticator 1/25 unauth-period 5
aaa port-access 1/25 mixed
interface 1/25 untagged vlan 101

Radius itself is working well in port-based mode on all of the other ports.

The laptop connected to the 3rd party Switch is working well and is authenticated. The switch console displays one auth and one guest. But the telephone fails to keep the network connection and wants to login again from time to time (no reboot, just an application login).

So here's the big question: how can I keep the Windows machines authenticated and the telephones unauthenticated forever as long as they are powered? (until I reset the port)

 

BR,

Volker

0 Kudos
7 REPLIES 7
Linkk
Frequent Advisor

‎10-09-2017 05:57 AM

‎10-09-2017 05:57 AM

Re: radius port access mixed mode not working as expected

Hi Volker,

I myself use the timeout values not port based but in the global config where the RADIUS server is configured.

F.e.:

radius-server host 10.20.11.4 key "Demo123!"
radius-server timeout 3
radius-server retransmit 1

aaa authentication port-access eap-radius
aaa port-access authenticator A5 
aaa port-access authenticator A5 unauth-vid 101
aaa port-access authenticator A5 client-limit 5
aaa port-access authenticator active

It should work with an unmanaged switch this way. 

When you plug in a laptop that is unauthenticated, does it also try to login every few minutes?

0 Kudos
vwalbroehl
Visitor

‎10-09-2017 10:40 PM

‎10-09-2017 10:40 PM

Re: radius port access mixed mode not working as expected

Hi,

in your scenario, I need to allow radius assigned vlans. And what about the mixed mode on that port?

All other options regarding my radius are default values. Port bases access itself is working fine. Only that specific port isn't working as expected nor configured. Since reauth is disabled, the telephone shouldn't be trying over and over. The client should be a guest on the network.

0 Kudos
Linkk
Frequent Advisor

‎10-11-2017 04:31 AM

‎10-11-2017 04:31 AM

Re: radius port access mixed mode not working as expected

Hi,

yes, you're right, I used RADIUS assigned VLANs, but that shouldn't affect the unauth VLAN...

I've never used the mixed parameter, but guests and authenticated clients worked nonetheless. Perhabs I don't need it with RADIUS assigned VLAN? I have no idea...

Your problem seems very strange. No reauth is, I believe, also the standard value for every port.

What happens with the phone, if you plug it directly into the port, without the unmanaged switch? Does it also reauth every few seconds?

0 Kudos
vwalbroehl
Visitor

‎10-11-2017 04:37 AM

‎10-11-2017 04:37 AM

Re: radius port access mixed mode not working as expected

hi, the telephone isn't reauthing every few seconds it is losing the connection to the pbx irregularly for several minutes.

The other phones are on untagged ports without any authentication.

I need to know, how to configure a port to ask only once for authentication and then never again for the same mac address

0 Kudos
Linkk
Frequent Advisor

‎10-11-2017 05:45 AM

‎10-11-2017 05:45 AM

Re: radius port access mixed mode not working as expected

The configuration you have posted should work that way. A device is considered a guest after 5 seconds and all his traffic is in the unauth-vid VLAN.
The command "client-limit" does exactly what you want.

Set the maximum number of clients to allow on the port.With no client limit, authentication happens in port-based mode, otherwise in client-based mode.

the Reauth-Period is 0 by default but also does what you want

Set the re-authentication timeout (in seconds, default 0); set to '0' to disable re-authentication.

You should see the phone and the other client with "show port-access authenticator <PORT>"

 

 Port Access Authenticator Status

  Port-access authenticator activated [No] : Yes
  Allow RADIUS-assigned dynamic (GVRP) VLANs [No] : No
  Use LLDP data to authenticate [No] : No

        Auths/  Unauth  Untagged Tagged           % In  RADIUS Cntrl
  Port  Guests  Clients VLAN     VLANs  Port COS  Limit ACL    Dir   Port Mode
  ----- ------- ------- -------- ------ --------- ----- ------ ----- ----------
  B1    1/1     1       101      10     No        No    No     both  1000FDx

Then check if this changes when the phone has lost the connection to the pbx.

You could also check the switch with an unauthenticated PC. It should be in the unauth-vid and not reauthenticate.

 

0 Kudos
vwalbroehl
Visitor

‎10-11-2017 05:50 AM

‎10-11-2017 05:50 AM

Re: radius port access mixed mode not working as expected

currently only the telephone is connected, but I have no "Unauth Client" ... why?

Normally I have 1 Auths and 1 Guests on that port.

 Port Access Authenticator Status

  Port-access authenticator activated [No] : Yes
  Allow RADIUS-assigned dynamic (GVRP) VLANs [No] : No
  Dot1x2010 Mode [Disabled] : Disabled                Use LLDP data to authenticate [No] : No

        Auths/  Unauth  Untagged Tagged           % In  RADIUS Cntrl
  Port  Guests  Clients VLAN     VLANs  Port COS  Limit ACL    Dir   Port Mode
  ----- ------- ------- -------- ------ --------- ----- ------ ----- ----------
  1/25  0/1     0       101      No     No        No    No     both  1000FDx
0 Kudos
vwalbroehl
Visitor

‎10-13-2017 02:33 AM

‎10-13-2017 02:33 AM

Re: radius port access mixed mode not working as expected

current situation with 1 laptop and 1 telephone:

show port-access authenticator 1/25

 Port Access Authenticator Status

  Port-access authenticator activated [No] : Yes
  Allow RADIUS-assigned dynamic (GVRP) VLANs [No] : No
  Dot1x2010 Mode [Disabled] : Disabled                Use LLDP data to authenticate [No] : No

        Auths/  Unauth  Untagged Tagged           % In  RADIUS Cntrl
  Port  Guests  Clients VLAN     VLANs  Port COS  Limit ACL    Dir   Port Mode
  ----- ------- ------- -------- ------ --------- ----- ------ ----- ----------
  1/25  1/1     0       112      No     No        No    No     both  1000FDx


show port-access authenticator 1/25 clients

 Port Access Authenticator Client Status

  Port-access authenticator activated [No] : Yes
  Allow RADIUS-assigned dynamic (GVRP) VLANs [No] : No
  Dot1x2010 Mode [Disabled] : Disabled                Use LLDP data to authenticate [No] : No

  Port  Client Name           MAC Address   IP Address      Client Status
  ----- --------------------- ------------- --------------- --------------------
  1/25                        0001e3-xxxxxx n/a             Connecting
  1/25  host/xxxxxx.xxx...    5cb901-xxxxxx n/a             Authenticated
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.