Switches, Hubs, and Modems
cancel
Showing results for 
Search instead for 
Did you mean: 

2910AL - Radius VLAN(s) w/ DHCP question

SOLVED
Go to solution
groque
Frequent Advisor

2910AL - Radius VLAN(s) w/ DHCP question

Hi all,

I managed to setup Radius assigned VLAN(s) on my ProCurve 2910 using Windows authentication.

These are the scopes I created the DHCP server is on VLAN 50 with an IP of 172.16.50.1.

VLAN 10 - E -> Network 172.16.10.0 /24
VLAN 20 - J -> Network 172.16.20.0 /24
VLAN 30 - S -> Network 172.16.30.0 /24
VLAN 40 - P -> Network 172.16.40.0 /24

Note: I only have 1 server that 50.1 server does everything Radius, AD, DHCP etc. This is just a test lab.

My main concern is when I plug in my laptop to port 1 (which is set as a authenticator) and I log in as a user assigned to VLAN 10, everything works fine!. The laptop, switch and IAS server says that I am connected and when I check the port status I can see that it am on VLAN 1

Auth Unauth Untagged Tagged Kbps In RADIUS Cntrl
Port Clients Clients VLAN VLANs Port COS Limit ACL Dir
---- -------- -------- -------- ------ --------- ----------- ------ -----
1 1 0 1 No 00000000 No No both


The problem is after the user authenticates it doesn't grab an IP from the DHCP server right away. It stays with the APIPA address so what I have to do is manually release and renew the IP address in order to grab one.

Is this a firmware issue or is there a command I am missing?

This is the current firmware I am running Boot Rom Version: W.14.04.

Thanks guys

19 REPLIES
cenk sasmaztin
Honored Contributor

Re: 2910AL - Radius VLAN(s) w/ DHCP question

please send me sh tech print your 2910al switch
cenk

groque
Frequent Advisor

Re: 2910AL - Radius VLAN(s) w/ DHCP question

Thanks for replying

I did the sh tech but my console session can't record all the data being displayed is there something in particular you would like to see I can send that over
cenk sasmaztin
Honored Contributor

Re: 2910AL - Radius VLAN(s) w/ DHCP question

ok please send me sh run print
cenk

groque
Frequent Advisor

Re: 2910AL - Radius VLAN(s) w/ DHCP question

Hi I attached the sh run on this thread if thats the the config you are looking for please let me know.

Cheers
cenk sasmaztin
Honored Contributor

Re: 2910AL - Radius VLAN(s) w/ DHCP question

your ip helper address false
ip helper address must be dhcp server address foreach vlan

and dhcp server default gateway address must be vlan 50 ip address
cenk

groque
Frequent Advisor

Re: 2910AL - Radius VLAN(s) w/ DHCP question

Thanks for your input.

What do you mean I have to have a DHCP server for my VLAN do I need to have a separate DHCP box for all for VLAN(s)? I don't quite understand that concept.

The thing is this config worked perfectly fine when I had static VLAN(s) assigned to each port. For example port 1-4 is assigned to VLAN 10, port 5-8 was assigned to VLAN 20.

When I plugged in a laptop into port 1 it gave me an address of 172.16.10.1 and when I plugged it into port 2 it gave me an address of 172.16.20.1.

With the dynamic VLAN when I log in with a user that belongs to VLAN 10 it doesn't assign me the IP address right away. I have to release and renew my IP address after that it assigns me an IP from the 172.16.10.0 network and vice versa with other VLAN(s).

I hope this all makes sense if you have any questions or suggestions please let me know.
Jeff Carrell
Honored Contributor

Re: 2910AL - Radius VLAN(s) w/ DHCP question

of what i can see of the config and your 2 descriptions, i would think it should be working...

you might try this, create a VLAN99 (i call this the "dead" or "notused" vlan)...do not give it an ip addr or ip helper-address, put port 1 in as untagged...disconnect the laptop from port 1, reconnect to port 1 and see if it works any better...

i can't guarantee it will be better, but that is how i have my 802.1X switches configured...

hth...jeff
groque
Frequent Advisor

Re: 2910AL - Radius VLAN(s) w/ DHCP question

Thanks for the advice Jeff but that did not solve the problem. Maybe this has something to do with Microsoft DHCP does anybody use Windows 2003 as your DHCP server?
groque
Frequent Advisor

Re: 2910AL - Radius VLAN(s) w/ DHCP question

Hi all,

I think this might be a bug with User based 802.1x dynamic VLAN(s). I just finished configuring MAC based VLAN(s) and it works great.

When I change the VLAN ID on my IAS server and replug in the wire the IP address picks up right away! but when I try it with user based VLAN(s) I still need to release and renew my IP addresses

If anybody has any more suggestions in regards to the user based VLANing please let me know.

Cheers
Jeff Carrell
Honored Contributor

Re: 2910AL - Radius VLAN(s) w/ DHCP question

hmmm...i have used W2K0, W2K3 and W2K8 and all work just fine...

also, your initial u/l of your config cut-off the very bottom...do you have an "unauth-vlan" configured?

oh, another question, do you have the 802.1X supplicant configured on the client to use windows logon credentials -or- are you waiting for the "little bubble" as i call it to pop up in the corner and enter in the uid/pw?

if using the pop-up, that is why you are seeing the behavior you are.....the system's DHCP request times out before you can get the uid/pw authenticated and you must do a ipconfig release/renew to get the new address......that's why you generally want the use windows login box checked (if using eap-peap)....

i'm thinking that you may have it setup this way, since you said the mac-auth worked immediately, since the switch passed the mac addr of the nic as uid/pw to radius and the auth occurred quick enough to get the port open so DHCP could get thru...

hth this time...jeff
groque
Frequent Advisor

Re: 2910AL - Radius VLAN(s) w/ DHCP question

Thanks for the response Jeff,

In regards to un-auth VLAN no I don't I created a VLAN ex VLAN 60 unauthorized and I untagged it for ports 1-16 (access layer ports). If I have to configure it some other way please let me know.

In regards to the supplicant I tried it with that Windows setting checked and it still didn't work.

I took what your advice and checked my show port-access auth and I don't see a default VLAN there even tho I specified that all Ports 1-4 (used for 802.1x user based VLANs) belong to VLAN 60 unauthorized.

And while the user logs into the computer and checked the show port-access auth table and I don't see a VLAN attached to that port yet. I wait another 10 seconds and then it does.

Is there something I am doing wrong here I know this isn't normal if you got yours working.
groque
Frequent Advisor

Re: 2910AL - Radius VLAN(s) w/ DHCP question

I configured the unauth and auth vlans but yeah I totally think it has something to do with the client. Once a user logs in he/she doesn't get tagged with the VLAN ID right away. After 10 seconds upon log-in then they get tagged.

Is there something I can do about this to speed up this process? When I configured 802.1x vlans on my Cisco Catalyst it worked fine once I log off and log in as a different user their IP gets assigned right away without having to release and renew it.

Thanks
groque
Frequent Advisor

Re: 2910AL - Radius VLAN(s) w/ DHCP question

HI all,

I totally think this has something to do with the client it doesn't authenticate me on the switch right when the user logs on. I uploaded my recent configuration if anybody has any suggestions please let me know.

I have one more quick question what is the difference between a suplicant and a authenticator? Do I need them both to run 802.1x user based VLAN(s)?

As you can see on the configuration I enabled it on port 3 hoping it would fix the problem but it didn't :( if anybody has any suggestions please let me know.

Cheers
Jeff Carrell
Honored Contributor
Solution

Re: 2910AL - Radius VLAN(s) w/ DHCP question

well, still not sure...

your auth-vlan - vlan62 and the guest vlan - vlan61, both need the ip helper-addr...

also, the 'aaa port-access gvrp-vlans' command is not required since you are statically defining the vlans...

a port defined as "authenticator" means a supplicant enabled device will be connected to it...a port defined as supplicant means that port will "speak like a supplicant"...

the 'aaa port-access supplicant 3' command means that you want port 3 to send its own supplicant info, so that the switch could actually 802.1X authenticate to another switch it would be connected to, but in order for that to fully work there is 1 more command needed that has the uid/pw in it...so this command is probably not needed...

i assume you do have the 3 attributes configured in the radius policy for the vlan assignment to the switch - correct? i expect you do or even doing a simple ipconfig release/renew would not get you the correct vlan...

i really can't see why this is happening...i have not used a 2910...in my lab i have 3500-24G, 2626, 2824, 5308...and have used 3400, 8212's in other labs...

there hasn't been an update to the code for the 2910 yet, so there are no release notes to see if there is a problem or not...

perhaps it is time for you to open a trouble call with procurve support...

add those ip helper-addresses, remove those other 2 commands, and if its still not working, call procurve support...

sorry i can't be of more positive help, but this stuff generally works well, and easy if you have the config correct, and you basically do when i compare to what i have running...

cheers...jeff
cenk sasmaztin
Honored Contributor

Re: 2910AL - Radius VLAN(s) w/ DHCP question

watch video and check your radius and switch config

http://www.dosya.tc/802.1x_dynamicvlan.rar.html
cenk

cenk sasmaztin
Honored Contributor

Re: 2910AL - Radius VLAN(s) w/ DHCP question

zip password xxx_123
cenk

groque
Frequent Advisor

Re: 2910AL - Radius VLAN(s) w/ DHCP question

Thanks for the video and the replies I am going to modify the config on monday and make sure I have IP helper addresses on all VLAN(s). I will let you guys know if it works
groque
Frequent Advisor

Re: 2910AL - Radius VLAN(s) w/ DHCP question

Thanks guys I got it resolved I added IP-Helper addresses to all my VLAN(s) now its working fine! Thanks alot
MullT
Frequent Advisor

Re: 2910AL - Radius VLAN(s) w/ DHCP question

Hi,

I´m in a similar situation. Let´s take your subnets to explain my problem

6200yl with the following_
VLAN 10 - E -> Network 172.16.10.0 /24, VLAN 10 is my backbone. switch IP is 172.16.10.40/24
IP default gateway is next hop router: 172.16.10.39
IP routing is enabled
IP route 0.0.0.0 0.0.0.0 172.16.10.39

On the 6200yl I have my subnets:

untagged VLAN 20 - J -> Network 172.16.20.0 /24, IP address 172.16.20.40/24, ip helper address 172.20.20.1
untagged VLAN 30 - S -> Network 172.16.30.0 /24, IP address 172.16.30.40/24, ip helper address 172.20.20.1
tagged VLAN 40 - P -> Network 172.16.40.0 /24, , IP address 172.16.40.40/24, ip helper address 172.20.20.1

As you can see I have 1 DHCP server (172.20.20.1) with scopes created for each VLAN. e.g. for my vlan 20, I have setup the DHCP range and the 172.16.20.40/24 for the gateway, for vlan 30 the gateway is 172.16.40.30/24 and for vlan 40 the gateway is 172.16.40.40/24.

I can happily connect to ports with untagged VLAN 20 and 30 and I will get an IP via DHCP.

But when I connect to a port with tagged VLAN 40 (of course I say within Windows to use tag 40(it´s VLAN ID 40 also)) I don´t get any IP address via DHCP. Within Windows status tab of the network card, I can see that it sends packets, but there don´t come an packets back.

So I´m asking myself whether I forgot something to add within the DHCP server?
I read something about "option 002 router", where I should then place the IP of the 6200yl == 172.16.10.40/24 into?