HPE Community
Switches, Hubs, and Modems
1753317 Members
5046 Online
108792 Solutions
New Discussion юеВ

Re: 2910AL - Radius VLAN(s) w/ DHCP question

 
SOLVED
Go to solution
Jeff Carrell
Honored Contributor

тАО05-08-2009 02:15 PM

тАО05-08-2009 02:15 PM

Re: 2910AL - Radius VLAN(s) w/ DHCP question

hmmm...i have used W2K0, W2K3 and W2K8 and all work just fine...

also, your initial u/l of your config cut-off the very bottom...do you have an "unauth-vlan" configured?

oh, another question, do you have the 802.1X supplicant configured on the client to use windows logon credentials -or- are you waiting for the "little bubble" as i call it to pop up in the corner and enter in the uid/pw?

if using the pop-up, that is why you are seeing the behavior you are.....the system's DHCP request times out before you can get the uid/pw authenticated and you must do a ipconfig release/renew to get the new address......that's why you generally want the use windows login box checked (if using eap-peap)....

i'm thinking that you may have it setup this way, since you said the mac-auth worked immediately, since the switch passed the mac addr of the nic as uid/pw to radius and the auth occurred quick enough to get the port open so DHCP could get thru...

hth this time...jeff
0 Kudos
groque
Frequent Advisor

тАО05-08-2009 02:25 PM

тАО05-08-2009 02:25 PM

Re: 2910AL - Radius VLAN(s) w/ DHCP question

Thanks for the response Jeff,

In regards to un-auth VLAN no I don't I created a VLAN ex VLAN 60 unauthorized and I untagged it for ports 1-16 (access layer ports). If I have to configure it some other way please let me know.

In regards to the supplicant I tried it with that Windows setting checked and it still didn't work.

I took what your advice and checked my show port-access auth and I don't see a default VLAN there even tho I specified that all Ports 1-4 (used for 802.1x user based VLANs) belong to VLAN 60 unauthorized.

And while the user logs into the computer and checked the show port-access auth table and I don't see a VLAN attached to that port yet. I wait another 10 seconds and then it does.

Is there something I am doing wrong here I know this isn't normal if you got yours working.
0 Kudos
groque
Frequent Advisor

тАО05-08-2009 02:44 PM

тАО05-08-2009 02:44 PM

Re: 2910AL - Radius VLAN(s) w/ DHCP question

I configured the unauth and auth vlans but yeah I totally think it has something to do with the client. Once a user logs in he/she doesn't get tagged with the VLAN ID right away. After 10 seconds upon log-in then they get tagged.

Is there something I can do about this to speed up this process? When I configured 802.1x vlans on my Cisco Catalyst it worked fine once I log off and log in as a different user their IP gets assigned right away without having to release and renew it.

Thanks
0 Kudos
groque
Frequent Advisor

тАО05-08-2009 02:58 PM

тАО05-08-2009 02:58 PM

Re: 2910AL - Radius VLAN(s) w/ DHCP question

HI all,

I totally think this has something to do with the client it doesn't authenticate me on the switch right when the user logs on. I uploaded my recent configuration if anybody has any suggestions please let me know.

I have one more quick question what is the difference between a suplicant and a authenticator? Do I need them both to run 802.1x user based VLAN(s)?

As you can see on the configuration I enabled it on port 3 hoping it would fix the problem but it didn't :( if anybody has any suggestions please let me know.

Cheers
0 Kudos
Jeff Carrell
Honored Contributor

тАО05-08-2009 09:13 PM

тАО05-08-2009 09:13 PM

Solution

Re: 2910AL - Radius VLAN(s) w/ DHCP question

well, still not sure...

your auth-vlan - vlan62 and the guest vlan - vlan61, both need the ip helper-addr...

also, the 'aaa port-access gvrp-vlans' command is not required since you are statically defining the vlans...

a port defined as "authenticator" means a supplicant enabled device will be connected to it...a port defined as supplicant means that port will "speak like a supplicant"...

the 'aaa port-access supplicant 3' command means that you want port 3 to send its own supplicant info, so that the switch could actually 802.1X authenticate to another switch it would be connected to, but in order for that to fully work there is 1 more command needed that has the uid/pw in it...so this command is probably not needed...

i assume you do have the 3 attributes configured in the radius policy for the vlan assignment to the switch - correct? i expect you do or even doing a simple ipconfig release/renew would not get you the correct vlan...

i really can't see why this is happening...i have not used a 2910...in my lab i have 3500-24G, 2626, 2824, 5308...and have used 3400, 8212's in other labs...

there hasn't been an update to the code for the 2910 yet, so there are no release notes to see if there is a problem or not...

perhaps it is time for you to open a trouble call with procurve support...

add those ip helper-addresses, remove those other 2 commands, and if its still not working, call procurve support...

sorry i can't be of more positive help, but this stuff generally works well, and easy if you have the config correct, and you basically do when i compare to what i have running...

cheers...jeff
cenk sasmaztin
Honored Contributor

тАО05-09-2009 02:26 AM

тАО05-09-2009 02:26 AM

Re: 2910AL - Radius VLAN(s) w/ DHCP question

watch video and check your radius and switch config

http://www.dosya.tc/802.1x_dynamicvlan.rar.html
cenk

cenk sasmaztin
Honored Contributor

тАО05-09-2009 02:30 AM

тАО05-09-2009 02:30 AM

Re: 2910AL - Radius VLAN(s) w/ DHCP question

zip password xxx_123
cenk

0 Kudos
groque
Frequent Advisor

тАО05-09-2009 08:58 AM

тАО05-09-2009 08:58 AM

Re: 2910AL - Radius VLAN(s) w/ DHCP question

Thanks for the video and the replies I am going to modify the config on monday and make sure I have IP helper addresses on all VLAN(s). I will let you guys know if it works
0 Kudos
groque
Frequent Advisor

тАО05-11-2009 09:09 AM

тАО05-11-2009 09:09 AM

Re: 2910AL - Radius VLAN(s) w/ DHCP question

Thanks guys I got it resolved I added IP-Helper addresses to all my VLAN(s) now its working fine! Thanks alot
0 Kudos
MullT
Frequent Advisor

тАО06-07-2009 03:47 AM

тАО06-07-2009 03:47 AM

Re: 2910AL - Radius VLAN(s) w/ DHCP question

Hi,

I├В┬┤m in a similar situation. Let├В┬┤s take your subnets to explain my problem

6200yl with the following_
VLAN 10 - E -> Network 172.16.10.0 /24, VLAN 10 is my backbone. switch IP is 172.16.10.40/24
IP default gateway is next hop router: 172.16.10.39
IP routing is enabled
IP route 0.0.0.0 0.0.0.0 172.16.10.39

On the 6200yl I have my subnets:

untagged VLAN 20 - J -> Network 172.16.20.0 /24, IP address 172.16.20.40/24, ip helper address 172.20.20.1
untagged VLAN 30 - S -> Network 172.16.30.0 /24, IP address 172.16.30.40/24, ip helper address 172.20.20.1
tagged VLAN 40 - P -> Network 172.16.40.0 /24, , IP address 172.16.40.40/24, ip helper address 172.20.20.1

As you can see I have 1 DHCP server (172.20.20.1) with scopes created for each VLAN. e.g. for my vlan 20, I have setup the DHCP range and the 172.16.20.40/24 for the gateway, for vlan 30 the gateway is 172.16.40.30/24 and for vlan 40 the gateway is 172.16.40.40/24.

I can happily connect to ports with untagged VLAN 20 and 30 and I will get an IP via DHCP.

But when I connect to a port with tagged VLAN 40 (of course I say within Windows to use tag 40(it├В┬┤s VLAN ID 40 also)) I don├В┬┤t get any IP address via DHCP. Within Windows status tab of the network card, I can see that it sends packets, but there don├В┬┤t come an packets back.

So I├В┬┤m asking myself whether I forgot something to add within the DHCP server?
I read something about "option 002 router", where I should then place the IP of the 6200yl == 172.16.10.40/24 into?
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.