- Community Home
- >
- Networking
- >
- Switching and Routing
- >
- Aruba & ProVision-based
- >
- Re: radius port access mixed mode not working as e...
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-09-2017 01:47 AM
10-09-2017 01:47 AM
radius port access mixed mode not working as expected
Hi everyone,
I have a 2920 and a third party unconfigured 8 port PoE Switch. I want to have a mixed environment on one specific port for authorized Windows Computers in vlan 112 and the rest will belong to the telephone vlan 101, regardless if its a telephone or not.
the config is:
aaa port-access authenticator 1/25 client-limit 7 aaa port-access authenticator 1/25 unauth-vid 101 aaa port-access authenticator 1/25 auth-vid 112 aaa port-access authenticator 1/25 reauth-period 0 aaa port-access authenticator 1/25 unauth-period 5 aaa port-access 1/25 mixed interface 1/25 untagged vlan 101
Radius itself is working well in port-based mode on all of the other ports.
The laptop connected to the 3rd party Switch is working well and is authenticated. The switch console displays one auth and one guest. But the telephone fails to keep the network connection and wants to login again from time to time (no reboot, just an application login).
So here's the big question: how can I keep the Windows machines authenticated and the telephones unauthenticated forever as long as they are powered? (until I reset the port)
BR,
Volker
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-09-2017 05:57 AM
10-09-2017 05:57 AM
Re: radius port access mixed mode not working as expected
Hi Volker,
I myself use the timeout values not port based but in the global config where the RADIUS server is configured.
F.e.:
radius-server host 10.20.11.4 key "Demo123!" radius-server timeout 3 radius-server retransmit 1 aaa authentication port-access eap-radius aaa port-access authenticator A5 aaa port-access authenticator A5 unauth-vid 101 aaa port-access authenticator A5 client-limit 5 aaa port-access authenticator active
It should work with an unmanaged switch this way.
When you plug in a laptop that is unauthenticated, does it also try to login every few minutes?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-09-2017 10:40 PM
10-09-2017 10:40 PM
Re: radius port access mixed mode not working as expected
Hi,
in your scenario, I need to allow radius assigned vlans. And what about the mixed mode on that port?
All other options regarding my radius are default values. Port bases access itself is working fine. Only that specific port isn't working as expected nor configured. Since reauth is disabled, the telephone shouldn't be trying over and over. The client should be a guest on the network.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-11-2017 04:31 AM
10-11-2017 04:31 AM
Re: radius port access mixed mode not working as expected
Hi,
yes, you're right, I used RADIUS assigned VLANs, but that shouldn't affect the unauth VLAN...
I've never used the mixed parameter, but guests and authenticated clients worked nonetheless. Perhabs I don't need it with RADIUS assigned VLAN? I have no idea...
Your problem seems very strange. No reauth is, I believe, also the standard value for every port.
What happens with the phone, if you plug it directly into the port, without the unmanaged switch? Does it also reauth every few seconds?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-11-2017 04:37 AM
10-11-2017 04:37 AM
Re: radius port access mixed mode not working as expected
hi, the telephone isn't reauthing every few seconds it is losing the connection to the pbx irregularly for several minutes.
The other phones are on untagged ports without any authentication.
I need to know, how to configure a port to ask only once for authentication and then never again for the same mac address
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-11-2017 05:45 AM
10-11-2017 05:45 AM
Re: radius port access mixed mode not working as expected
The configuration you have posted should work that way. A device is considered a guest after 5 seconds and all his traffic is in the unauth-vid VLAN.
The command "client-limit" does exactly what you want.
Set the maximum number of clients to allow on the port.With no client limit, authentication happens in port-based mode, otherwise in client-based mode.
the Reauth-Period is 0 by default but also does what you want
Set the re-authentication timeout (in seconds, default 0); set to '0' to disable re-authentication.
You should see the phone and the other client with "show port-access authenticator <PORT>"
Port Access Authenticator Status Port-access authenticator activated [No] : Yes Allow RADIUS-assigned dynamic (GVRP) VLANs [No] : No Use LLDP data to authenticate [No] : No Auths/ Unauth Untagged Tagged % In RADIUS Cntrl Port Guests Clients VLAN VLANs Port COS Limit ACL Dir Port Mode ----- ------- ------- -------- ------ --------- ----- ------ ----- ---------- B1 1/1 1 101 10 No No No both 1000FDx
Then check if this changes when the phone has lost the connection to the pbx.
You could also check the switch with an unauthenticated PC. It should be in the unauth-vid and not reauthenticate.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-11-2017 05:50 AM
10-11-2017 05:50 AM
Re: radius port access mixed mode not working as expected
currently only the telephone is connected, but I have no "Unauth Client" ... why?
Normally I have 1 Auths and 1 Guests on that port.
Port Access Authenticator Status Port-access authenticator activated [No] : Yes Allow RADIUS-assigned dynamic (GVRP) VLANs [No] : No Dot1x2010 Mode [Disabled] : Disabled Use LLDP data to authenticate [No] : No Auths/ Unauth Untagged Tagged % In RADIUS Cntrl Port Guests Clients VLAN VLANs Port COS Limit ACL Dir Port Mode ----- ------- ------- -------- ------ --------- ----- ------ ----- ---------- 1/25 0/1 0 101 No No No No both 1000FDx
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-13-2017 02:33 AM
10-13-2017 02:33 AM
Re: radius port access mixed mode not working as expected
current situation with 1 laptop and 1 telephone:
show port-access authenticator 1/25 Port Access Authenticator Status Port-access authenticator activated [No] : Yes Allow RADIUS-assigned dynamic (GVRP) VLANs [No] : No Dot1x2010 Mode [Disabled] : Disabled Use LLDP data to authenticate [No] : No Auths/ Unauth Untagged Tagged % In RADIUS Cntrl Port Guests Clients VLAN VLANs Port COS Limit ACL Dir Port Mode ----- ------- ------- -------- ------ --------- ----- ------ ----- ---------- 1/25 1/1 0 112 No No No No both 1000FDx show port-access authenticator 1/25 clients Port Access Authenticator Client Status Port-access authenticator activated [No] : Yes Allow RADIUS-assigned dynamic (GVRP) VLANs [No] : No Dot1x2010 Mode [Disabled] : Disabled Use LLDP data to authenticate [No] : No Port Client Name MAC Address IP Address Client Status ----- --------------------- ------------- --------------- -------------------- 1/25 0001e3-xxxxxx n/a Connecting 1/25 host/xxxxxx.xxx... 5cb901-xxxxxx n/a Authenticated