Switches, Hubs, and Modems
cancel
Showing results for 
Search instead for 
Did you mean: 

procurve 2650 - 802.1x multi user

asjdfds
Occasional Visitor

procurve 2650 - 802.1x multi user

hi,

I am using a procurve 2650 H.10.74 with 802.1x on port 1.

If I connect a voip phone on port 1 it works without any problems.
If I connect a pc on port 1 it works also.

But then I connect a pc on the second port of the phone it does not work.
On the switch no errors will be logged. On the radius server I see that both devices (phone & pc) get access.

If I disable 802.1x it works without any problems.

My config:

; J4899B Configuration Editor; Created on release #H.10.74

hostname "test"
time timezone 2
no telnet-server
interface 1
no lacp
exit
interface 2
no lacp
exit
ip default-gateway 10.1.1.1
sntp server 10.1.1.26
timesync sntp
sntp unicast
snmp-server community "public" Unrestricted
vlan 1
name "DEFAULT_VLAN"
no ip address
no untagged 1-50
exit
vlan 2
name "LAN"
untagged 1-50
ip address 10.1.1.123 255.255.255.0
exit
vlan 3
name "voip"
tagged 1-50
voice
exit
vlan 51
name "LAN_UNAUTH"
tagged 3-50
exit
aaa authentication port-access eap-radius
radius-server host 10.1.1.50
primary-vlan 2
aaa port-access authenticator 1
aaa port-access authenticator 1 max-requests 10
aaa port-access authenticator 1 reauth-period 3600
aaa port-access authenticator 1 client-limit 3
aaa port-access authenticator active
ip ssh
password manager


any ideas why my setup is not working?
8 REPLIES
cenk sasmaztin
Honored Contributor

Re: procurve 2650 - 802.1x multi user

please test and say me result

; J4899B Configuration Editor; Created on release #H.10.74

hostname "test"
time timezone 2
no telnet-server
interface 1
no lacp
exit
interface 2
no lacp
exit
ip default-gateway 10.1.1.1
sntp server 10.1.1.26
timesync sntp
sntp unicast
snmp-server community "public" Unrestricted
vlan 1
name "DEFAULT_VLAN"
no ip address
no untagged 1-50
exit
vlan 2
name "LAN"
untagged 1-49
ip address 10.1.1.123 255.255.255.0
exit
vlan 3
name "voip"
tagged 1-49
voice
exit
vlan 51
name "LAN_UNAUTH"
untagged 50
exit
aaa authentication port-access eap-radius
radius-server host 10.1.1.50 key xxxxxxx
aaa port-access authenticator 1
aaa port-access authenticator 1 client-limit 3
aaa port-access authenticator active
aaa port-access authenticator 1 unauth-vid 51
ip ssh
password manager

cenk

asjdfds
Occasional Visitor

Re: procurve 2650 - 802.1x multi user

thanks for your quick reply.

i changed my config, but this does not solve my problem
gunnarwb
Occasional Contributor

Re: procurve 2650 - 802.1x multi user

I'd try messing around with the "tags" the, phone is actually a switch so any VLANs you need behind it (for the PC) would need to be tagged. so:

vlan 2
tagged 1

Basically I thought when dealing with VOIP phones you were supposed to tag pretty much everything.
asjdfds
Occasional Visitor

Re: procurve 2650 - 802.1x multi user

I tagged vlan 2 on port 1
phone works - pc does not work
gunnarwb
Occasional Contributor

Re: procurve 2650 - 802.1x multi user

Some other things to try:

gvrp
aaa port-access gvrp-vlans

Also, for giggles remove all those extra settings you have:

aaa port-access authenticator 1 max-requests 10
aaa port-access authenticator 1 reauth-period 3600
aaa port-access authenticator 1 client-limit 3

The client limit is probably needed, but kill it anyway, see what happens.

On other thing to try,

vlan 3
tagged 1
gunnarwb
Occasional Contributor

Re: procurve 2650 - 802.1x multi user

actually I know for a fact I'm wrong about the client-limit so leave that at 3, but tag both VLANS. CHeck out this article:

http://h40060.www4.hp.com/procurve/includes/application-notes/index.php?cc=ru&lc=ru&content=ans9-en
Jeff Carrell
Honored Contributor

Re: procurve 2650 - 802.1x multi user

do you have a "secret key" or "shared secret" defined on the radius server - for the switch as the client?

if so, it looks like in your config you do not have the radius server key defined...

i have seen in labs where having no radius key on the switch, or incorrect between the server and the switch it not work...logs look good, switch does not function...

but it doesn't explain why it does work at an individual level...hmmm...

and yes the client-limit must be set...default is set to "1"...for VoIP phones to auth and possibly go from untagged to tagged (2 auth steps) -and- a computer to also auth as untagged, client-limit needs to be at 3....

otherwise, switch config looks good to me...

another comment, in the remote access policy on your radius server, if you send back the vlan id to the switch, the switch must have that vlan id defined (either static or dynamic [GVRP]) to work...if the switch receives a vlan id assignment for an auth port and does not have the vlan id on it, that session will be "un-auth'd"...not the port, just that mac addr...

hth...jeff
asjdfds
Occasional Visitor

Re: procurve 2650 - 802.1x multi user

i played around with the vlans and vgrp-vlan, but this does not changed anything.


i took my config from the first post and configured on a 5412zl, revision K.14.41, ROM K.12.20

on the 5412zl it worked with the pc behind the phone.

but why does it not work on a 2650?