- Community Home
- >
- Networking
- >
- Legacy
- >
- Switches, Hubs, Modems
- >
- Re: Guest VLAN Issue
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-24-2006 01:57 AM
тАО08-24-2006 01:57 AM
Guest VLAN Issue
I 08/23/06 11:15:20 ports: port 33 is Blocked by AAA
I 08/23/06 11:15:20 ports: port 33 is now on-line
I 08/23/06 11:15:20 vlan: VLAN10 virtual LAN enabled
I 08/23/06 11:15:20 ip: VLAN10: network enabled on 172.16.10.1
I 08/23/06 11:16:08 802.1x: 1 auth-failures for the last 60 sec.
I 08/23/06 11:18:08 802.1x: 2 auth-failures for the last 120 sec.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-25-2006 04:17 PM
тАО08-25-2006 04:17 PM
Re: Guest VLAN Issue
I have some ideas regarding yoru configuration:
- You didn't configure authorized-client VLAN "auth-vid", so if the user authenticated, which vlan he will have, is it dynamic by RADIUS server ?
- Are you connecting DHCP - RADIUS servers directly to this switch, or by another switch?
if not directly, then you know that uplink from switch to switch must be aware of all your 5 vlans.
- In 802.1x dynamic vlan assignment, there is order of priority, and first one is dynamic vlan assignment by the RADIUS Server, which overrides your unauth-vid=10 that you made.
I'm interested with your setup, and appreciate info. sharing :)
Good Luck !!!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-26-2006 04:24 AM
тАО08-26-2006 04:24 AM
Re: Guest VLAN Issue
An authorized VLAN in my situation is not a requirement as I do have the RADIUS server assigning VLANS "on the fly" as I like to call it. So in it's basic terms if the RADIUS server is successful in authenticating the connection it looks at the rule sets in order and finds the first matching rule. If it finds one it sends the auth to the switch with a VLAN assignment number. If the auth fails on the connection (or simply does not try an authentication), the switch leaves the port in the unauth vlan state. Depending on where I set this up will depend on what we do with that VLAN. In one enviroment that is less sensitive we may place this VLAN in a quarentined enviroment that would allow traffic only to the internet...say maybe for customers who are in the office for a meeting, etc. For one of our more sensitive networks, we may have this VLAN block traffic all together. Both would be configured for alerting features. My cuurent setup is a lab so the tagged awareness on the uplinks would be correct, except in this config I have the switch wearing the router hat as well. It works for my lab setup. I use VMWare and one to two 2650 switches, one acting as the router. In the domains I have 200 plus switches, mostly 2650's and 2824's. Some older 4000's which I have a soft spot for :)....but alas, time to retire those guys. As I told the HP tech, I have exact instructions on how my setup will be and it works everytime (as long as the firmware is not doing something). My boss makes me write instructions so the front desk receptionist could install and configure the setup if needed. Thanks for your reply!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-26-2006 03:21 PM
тАО08-26-2006 03:21 PM
Re: Guest VLAN Issue
Can i ask some few points:
What firmware you have on the 2600s that breaks your 802.1x functionality ?
If a person didn;t authenticate then you assign unauth-vid not by RADIUS, but by the switch config ?
RADIUS only assigns Vlan attrib. on authentication ?
If client didn;t authenticate, the switch aloow him to have a temporary IP address and place him in unauth-vlan so he can get the supplicant software for 802.1x , are you doing this ? from where he will get the supplicant ?
Last Q. , do you have a wireless AP connected to one of these ports 30-40? if yes, do you manage poeple to have Roaming ? how ?
Thanks for sharing Info., its a nice setup:)
Good Luck !!!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-26-2006 09:40 PM
тАО08-26-2006 09:40 PM
Re: Guest VLAN Issue
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-26-2006 09:52 PM
тАО08-26-2006 09:52 PM
Re: Guest VLAN Issue
When you enable 802.1X authentication on a port, the switch automatically disables LACP on that port. However, if the port is already operating in an LACP trunk, you must remove the port from the trunk before you can configure
it for 802.1X authentication.
Good Luck !!!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-28-2006 12:37 AM
тАО08-28-2006 12:37 AM
Re: Guest VLAN Issue
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-28-2006 11:15 AM
тАО08-28-2006 11:15 AM
Re: Guest VLAN Issue
You have some options if you want to provide just Internet for guests:
Instead of Open VLAN use account "internet" and web authentication and tell your guests (and assign with IDM to "normal" VLAN and don't forget to create ACLs or use IDM created ACLs if you have clever switches on the edge like ProCurve Adaptive EDGE recommends).
Use Open VLAN and different L3 device like tiny freeBSD server with DHCP, web redirect on first http connection (welcome page), IDS/IPS system like Snort to protect your network and route it back to switch to different VLAN, like "CheckedGuestVLAN", create internet only ACL and provide route to Internet.
Use 700wl series and ACMs to have maximum guest handling (automatic wrong client IP, DNS or http proxy correction, L3 roaming and VPN, web authentication or registration, hot-spot).