HPE Community
Switches, Hubs, and Modems
1753428 Members
4951 Online
108793 Solutions
New Discussion юеВ

Re: Guest VLAN Issue

 
bscheible
Occasional Advisor

тАО08-24-2006 01:57 AM

тАО08-24-2006 01:57 AM

Guest VLAN Issue

2650 Switch with 5 VLANS configured: VLAN1, VLAN5, VLAN10, VLAN15, VLAN20 (VLAN ID matches VLAN number). DHCP scopes set for VLANS and walking through each VLAN by untagging I confirm that each VLAN operates and receives specified DHCP address in the VLAN range. I set up DHCP by having 3rd octet in range to identify current VLAN (ex. - VLAN15 would assign 192.168.15.X). Trying to test guest VLAN mode with RADIUS authentication. Have tested all successfully before. Documented procedures, tore lab down, then recreated lab in another office using my notes. Guest VLAN not assigning DHCP address. All ports are left as default untagged members of default VLAN (VLAN1). When connecting to a RADIUS enabled port it works as designed....switch places port in defined UNAUTH VLAN (in my case VLAN10), attempts to authenticate with the RADIUS server, fails RADIUS auth (by design based on how I set the scenerio up), then leaves the port in the UNAUTH VLAN (again, by design). I know this because I can sh VLAN1 and see all ports in that VLAN except the port I am currently connected to. A sh VLAN10 shows that the port was moved to the UNAUTH vlan. All great, except I cannot get a DHCP address. It's like the switch is not allowing the connection to communicate as I see no logging information in the DHCP logs or the svr logs (other then failed auth attempt on RADIUS svr). Again, I can maunally assign (untag) a port that is outside of the sec ports to VLAN10, plug in and receive a DHCP address in that scope so I know my DHCP and routing/forwarding is working. Have been in contact with Procurve support, and they are looking into the issue but have not given me a solution. Any ideas would be great! The last 6 lines of my log file are below and I will attach file with results from sh tech. Thanks.
I 08/23/06 11:15:20 ports: port 33 is Blocked by AAA
I 08/23/06 11:15:20 ports: port 33 is now on-line
I 08/23/06 11:15:20 vlan: VLAN10 virtual LAN enabled
I 08/23/06 11:15:20 ip: VLAN10: network enabled on 172.16.10.1
I 08/23/06 11:16:08 802.1x: 1 auth-failures for the last 60 sec.
I 08/23/06 11:18:08 802.1x: 2 auth-failures for the last 120 sec.
0 Kudos
7 REPLIES 7
Mohieddin Kharnoub
Honored Contributor

тАО08-25-2006 04:17 PM

тАО08-25-2006 04:17 PM

Re: Guest VLAN Issue

Hi

I have some ideas regarding yoru configuration:

- You didn't configure authorized-client VLAN "auth-vid", so if the user authenticated, which vlan he will have, is it dynamic by RADIUS server ?
- Are you connecting DHCP - RADIUS servers directly to this switch, or by another switch?
if not directly, then you know that uplink from switch to switch must be aware of all your 5 vlans.
- In 802.1x dynamic vlan assignment, there is order of priority, and first one is dynamic vlan assignment by the RADIUS Server, which overrides your unauth-vid=10 that you made.

I'm interested with your setup, and appreciate info. sharing :)

Good Luck !!!
Science for Everyone
0 Kudos
bscheible
Occasional Advisor

тАО08-26-2006 04:24 AM

тАО08-26-2006 04:24 AM

Re: Guest VLAN Issue

Let me start by saying late yesterday afternoon I realized that the firmware was breaking something in the config as I had working labs prior to switching to the newest firmware on the 2650. I don't have my notes with me as I'm in my backyard hanging out right now but will post some of my results on Monday. Answering your questions though:
An authorized VLAN in my situation is not a requirement as I do have the RADIUS server assigning VLANS "on the fly" as I like to call it. So in it's basic terms if the RADIUS server is successful in authenticating the connection it looks at the rule sets in order and finds the first matching rule. If it finds one it sends the auth to the switch with a VLAN assignment number. If the auth fails on the connection (or simply does not try an authentication), the switch leaves the port in the unauth vlan state. Depending on where I set this up will depend on what we do with that VLAN. In one enviroment that is less sensitive we may place this VLAN in a quarentined enviroment that would allow traffic only to the internet...say maybe for customers who are in the office for a meeting, etc. For one of our more sensitive networks, we may have this VLAN block traffic all together. Both would be configured for alerting features. My cuurent setup is a lab so the tagged awareness on the uplinks would be correct, except in this config I have the switch wearing the router hat as well. It works for my lab setup. I use VMWare and one to two 2650 switches, one acting as the router. In the domains I have 200 plus switches, mostly 2650's and 2824's. Some older 4000's which I have a soft spot for :)....but alas, time to retire those guys. As I told the HP tech, I have exact instructions on how my setup will be and it works everytime (as long as the firmware is not doing something). My boss makes me write instructions so the front desk receptionist could install and configure the setup if needed. Thanks for your reply!
0 Kudos
Mohieddin Kharnoub
Honored Contributor

тАО08-26-2006 03:21 PM

тАО08-26-2006 03:21 PM

Re: Guest VLAN Issue

Hi

Can i ask some few points:

What firmware you have on the 2600s that breaks your 802.1x functionality ?
If a person didn;t authenticate then you assign unauth-vid not by RADIUS, but by the switch config ?
RADIUS only assigns Vlan attrib. on authentication ?
If client didn;t authenticate, the switch aloow him to have a temporary IP address and place him in unauth-vlan so he can get the supplicant software for 802.1x , are you doing this ? from where he will get the supplicant ?
Last Q. , do you have a wireless AP connected to one of these ports 30-40? if yes, do you manage poeple to have Roaming ? how ?
Thanks for sharing Info., its a nice setup:)

Good Luck !!!

Science for Everyone
0 Kudos
Ionut Andrei
Occasional Contributor

тАО08-26-2006 09:40 PM

тАО08-26-2006 09:40 PM

Re: Guest VLAN Issue

Hopefuly,if everything goes ok, i should have the same scenario up and running till tomorrow morning, and ill share all the details. Anyway, i have a problem of another kind. Whenever i use " AAA PORT-ACCESS AUTHENTICATOR 1-40 " command, on any other large range of ports, it blocks my existing connection, although i am connected through the gigabit trunk, and it seems like everything is freezing up. If i do this three or four times, trying to get the ports configured properly, i often find myself blocked out of the switch until some of the telnet connection is reseted. Anyone had this problem before? The software version i use for the 2650 is from february 24 2006, so quite recent.
0 Kudos
Mohieddin Kharnoub
Honored Contributor

тАО08-26-2006 09:52 PM

тАО08-26-2006 09:52 PM

Re: Guest VLAN Issue

Hi

When you enable 802.1X authentication on a port, the switch automatically disables LACP on that port. However, if the port is already operating in an LACP trunk, you must remove the port from the trunk before you can configure
it for 802.1X authentication.

Good Luck !!!
Science for Everyone
0 Kudos
bscheible
Occasional Advisor

тАО08-28-2006 12:37 AM

тАО08-28-2006 12:37 AM

Re: Guest VLAN Issue

To answer Mohieddin Kharnoub's questions.......The latest firmware (H.08.98) was not working for my setup with unauth vlan. The firmware that I can get to work everytime is H.08.92. I am going to try and test with some newer firmware revisions, though we typically do not like to upgrade our firmware unless absolutely necessary. It has been my experience that the way I have st up my RADIUS server (IAS) that if it's not authenticating the computer then it's not going to do anything with it (IE - assign a rule based vlan). I could be wrong, however, the unauth-vlan works great for my scenereo. To answer your supplicant question....my scenerio does not require supplicant software retrieval as all clients (Windows 2000 SP4/Windows XP) come with the ability to do 802.1x communication. You could allow that by adding some sort of install point in the unauth-vlan. We will use this unauth-vlan in two scenerios...one will push the unauth clients into a sort of DMZ segment to allow guest access to the internet. Another scenerio will be to block any kind of connection all together in a more snsitive enviroment. This setup is all wired 802.1x deployment. We do not use wireless connections. This is not because of anything technical...just more political based on network sensitivity. We aren't serving up network access for Starbuck's patrons :). Let me know if you have any other questions. As far as the LACP issue...I agree. Even when not utilizing LACP trunking before enabeling AAA, I find that the switch takes a little while to go through and disable LACP on any ports that were just configured for AAA. Good luck with your setup Andrei.
0 Kudos
tomastomas
Occasional Advisor

тАО08-28-2006 11:15 AM

тАО08-28-2006 11:15 AM

Re: Guest VLAN Issue

As far as I know for security reasons Open VLAN (unauth) is totaly L3 isolated (same story with Management VLAN - only switch inside VLAN), so no routing at all, it's out of your network (and that's good).

You have some options if you want to provide just Internet for guests:

Instead of Open VLAN use account "internet" and web authentication and tell your guests (and assign with IDM to "normal" VLAN and don't forget to create ACLs or use IDM created ACLs if you have clever switches on the edge like ProCurve Adaptive EDGE recommends).

Use Open VLAN and different L3 device like tiny freeBSD server with DHCP, web redirect on first http connection (welcome page), IDS/IPS system like Snort to protect your network and route it back to switch to different VLAN, like "CheckedGuestVLAN", create internet only ACL and provide route to Internet.

Use 700wl series and ACMs to have maximum guest handling (automatic wrong client IP, DNS or http proxy correction, L3 roaming and VPN, web authentication or registration, hot-spot).
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.