Switches, Hubs, and Modems
cancel
Showing results for 
Search instead for 
Did you mean: 

BUG: ProCurve Switch 2510G-48, DHCP problem with 802.1X authenticated VLAN / public VLAN otherwise

SysCo al
Occasional Visitor

BUG: ProCurve Switch 2510G-48, DHCP problem with 802.1X authenticated VLAN / public VLAN otherwise

Hello,

Here is the problem:

Material: ProCurve Switch 2510G-48
Firmware: 11/17/09 Y.11.16

We want to have 802.1X VLAN authentication, and if no authentication is correct, we want to have a public VLAN.

Here is the configuration:

vlan 1
name "DEFAULT_VLAN"
no ip address
no untagged 1-48
exit
vlan 2
name "PUBLIC_VLAN"
no ip address
exit
vlan 3
name "PRIVATE_VLAN"
untagged 1-48
ip address 192.168.3.1 255.255.255.0
exit

aaa authentication port-access eap-radius
radius-server host 192.168.3.2 key mysecretkey
primary-vlan 3
aaa port-access authenticator 1
aaa port-access authenticator 1 auth-vid 3
aaa port-access authenticator 1 unauth-vid 2
aaa port-access authenticator active

Let's do the test on port 1. Once authentication is done and ok (VLAN 3), the DHCP Discovery broadcasted packet is sent (and received by the DHCP server in the VLAN 3), but the DHCP Offer broadcasted answer packet is never going back to the machine.

If we are not authenticated (VLAN 2), everything is working fine, the second DHCP in the VLAN 2 receive the Discovery, send the Offer, receive the Request and send the Acknoledgement packet.

If we connect the machine to the port 2 (always on VLAN 3), the DHCP protocol is working well with the DHCP server in the VLAN 3.

After sniffing everything in any directions, we discovered that ALL broadcast traffic is never going through an authenticated port, BUT this only if the authenticated port is in the same VLAN as the switch management VLAN ! We didn't find any filter that can be removed or setup.

Any suggestion welcome, we have spend hours and hours in our configuration, but this is for sure a bug, not a configuration problem.

Does anybody have a success to do a 802.1X authentication with working DHCP IP distribution in the VLAN of the managed switch with this firmware 11/17/09 Y.11.16 ?

We have tried downgrading to version 11.12 and it works ! But as a lot of other stuffs have been fixed in 11.16, we would be happy to have a new fixed release for our brand new switch (bought a few weeks ago).

Thanks in advance for your support.

Regards,

André
4 REPLIES
cenk sasmaztin
Honored Contributor

Re: BUG: ProCurve Switch 2510G-48, DHCP problem with 802.1X authenticated VLAN / public VLAN otherwise

upgrade your switch y.11.18
cenk

SysCo al
Occasional Visitor

Re: BUG: ProCurve Switch 2510G-48, DHCP problem with 802.1X authenticated VLAN / public VLAN otherwise

Hello,

It's a good idea, but I don't find any Y 11.18 version on the ProCurve website (https://h10145.www1.hp.com/Downloads/SoftwareReleases.aspx?ProductNumber=J9280A〈=en,en&cc=us,us&prodSeriesId=3356807)

Any advise welcome

Regards

André

Re: BUG: ProCurve Switch 2510G-48, DHCP problem with 802.1X authenticated VLAN / public VLAN otherwise

Yes, contact Procurve support and request the latest software for your switch. Also request the associated release notes, which they probably won't provide by default. You should see many AAA/802.1x related bug fixes. It appears they are not publicly posting switch software that only contains bug fixes, just new features.

Another thought is, I beleive this line of your config is redundant:
aaa port-access authenticator 1 auth-vid 3

You have already set port 1 as untagged on VLAN 3. It should work, but I would try removing it to see if it has any impact.
SysCo al
Occasional Visitor

Re: BUG: ProCurve Switch 2510G-48, DHCP problem with 802.1X authenticated VLAN / public VLAN otherwise

Thanks for the advise, ticket opened by ProCurve support.

Regards,

Andre