- Community Home
- >
- Networking
- >
- Switching and Routing
- >
- Aruba & ProVision-based
- >
- Question about securing access points on edge-port...
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-20-2016 12:43 AM
01-20-2016 12:43 AM
Question about securing access points on edge-port.
Problem:
I’m about to roll out wired 802.1x with Mac-auth as secondary and I have trouble securing edge-port to AP (Access Point). I have tried only mac-auth even with mixed-mode.
I can make the switch to allow the AP and dynamically configure vlan on the edge-port BUT the switch will just block all wireless devices on the two 802.1x protected VSC’s that is connected to separate egress-vlan to the local network. Debugging the switch says rejected during demux, known unauth client; If I allow mixed-mode.
The guest VSC just works fine because it’s using AP tunnel to the controller-team. So the switch can’t see guest’s mac-addresses.
Question:
Cisco’s solution is with smart-port and just disables 802.1x and trunk with their APs when detected on an edge-port. Is there a similar way with HP’s procurve?
If not; How and is there a way to configure security on edge-port to an AP? Some AP’s can be disconnected and a user can make use of the port and I want to lock it down so it can’t be used unlawfully. My users are creative and will test it for sure, I know… Sometimes I wish I could use glue, but then they will just break it…
Background:
Working for a small municipality in Sweden and have mostly (99,9%) HP networking spread across 6 location and small satellites with a single routing-domain spanning it all. Each site has different vlan-id and netword-id. User base is about 800 employee and 300 elementary students.
I have around 140 msm422, 430 and 460 controlled by an msm765zl team with 3 VSC on all AP’s. Two 802.1x protected and 1 open guest VSC. Guest VSC uses the AP tunnel to the controller that’s ending up on the limited guest-net. The other two VSC egress to each tagged vlan on the switches to the local networks. Edge-switches are a mix between HP Procurve 2600 and HP Procurve 2900 series. Most of switches to AP have PoE and running the latest firmware, same to MSM AP and Controllers.
Radius servers are Windows 2012 R2 with “expanded” support for RFC4675, So I can push out tagged vlan, soon hopefully even ACL’s.