HPE Community
HPE Aruba Networking & ProVision-based
1834926 Members
2403 Online
110071 Solutions
New Discussion

Assigning tagged VLAN using auth-vid command. Procurve 2610, 802.1x and polycom IP300 passthru to PC

 
dempsey138
New Member

‎10-06-2011 10:34 PM

‎10-06-2011 10:34 PM

Assigning tagged VLAN using auth-vid command. Procurve 2610, 802.1x and polycom IP300 passthru to PC

I am attemptting to setup an 802.1x EAP-TLS and mac-based port authentication environent. The main devices we are trying to secure are Windows XP/7 PCs and Polycom IP330 handsets. We use the PC/passthrough ports on IP330's to provide an Ethernet port to the PCs. Polycom IP330's do not support 802.1x.

I have 3 VLANs,
VLAN 1 is data, it it untagged/native for PCs.
VLAN 2 is voice.
VLAN 3 is guest. This is where non authenticated devices will go.

We are using the radius functionaltiy of Windows 2008 R2 NPS to provide the authentication.

Goals
1. I want anything that succesfully authenticates with EAP-TLS to be assigned to VLAN1,
2. Anything that authenticates using mac-based to be assigned VLAN2.
3. Anything that does not authenticate to be assigned VLAN3.

I can achieve goals 1 and 3 without issue. I can get the IP330's to succesfully authenticate using mac-based auth but I cannot force them to be assigned to VLAN2. i.e. If we set the phone to use VLAN2 it will authenticate and sit on VLAN1. If we do not force a VLAN on the phone it will authenticate and sit on VLAN1.

The command "aaa port-access mac-based X auth-vid X" I believe is what should force something that successfully authenticates using mac-based onto VLAN2. However when I set this command I can see the phone authenticate successfully on the radius server but the phone just sites there at its waiting to boot screen. You can see on the radius server the
phone successfully re-authenticates every 1 minute. The phone never leaves the boot screen.

I have attached two configs from my switch.

"Polycom forced to VLAN2 no auth-vid set - all working.txt"
In this one the "aaa port-access mac-based X auth-vid X" command is not used. Everything authenticates and boots properly however the phone will sit on vlan 1 or 2 depending on what you have set in the phone.

"Polycom forced to VLAN2 auth-vid2 - not working.txt"
In this one the "aaa port-access mac-based X auth-vid X" command is used. Everything authenticates according to the radius server however the phone never boots and continually
re-authenticates every 1 minute. This occurs not matter what VLAN setting is set on the phone.

In all testing using these configs the phone and PC are plugged into interface 8.

Does anyone have any suggestions or possibly run into this before. Obvisouly the mac auth is far easier to get passed compared to EAP-TLS so we don't want to have mac-auth on VLAN 1 at all if possible.

0 Kudos
5 REPLIES 5
Steve Woodward_2
Advisor

‎10-12-2011 08:38 AM

‎10-12-2011 08:38 AM

Re: Assigning tagged VLAN using auth-vid command. Procurve 2610, 802.1x and polycom IP300 passthru t

I'm pretty sure you can't do both #1 and #2.  If I recall the only way to do both 802.1x and mac based authentication is for them to both successfully authenticate.  There is no either/or.  I believe I read in their docs somewhere they don't reccomend running two forms of authentication and don't support is as well.

As for handling 802.1x with VOIP devices, this guide may help if you haven't read it already.

http://www.google.com/url?sa=t&source=web&cd=4&sqi=2&ved=0CC4QFjAD&url=http%3A%2F%2Fh40060.www4.hp.com%2Fprocurve%2Fuk%2Fen%2Fpdfs%2Fapplication-notes%2FAN-S9_ProCurve-802.1x-configuration-final-091608.pdf&ei=Ja-VToH1KaHy0gHwrfWrBw&usg=AFQjCNG-Cc4z1LGPdGBruQVsea0BadtM8A

 

0 Kudos
jefflj
Frequent Advisor

‎10-26-2011 04:18 PM

‎10-26-2011 04:18 PM

Re: Assigning tagged VLAN using auth-vid command. Procurve 2610, 802.1x and polycom IP300 passthru t

I  believe the issue is that you are using port-based authentication with the auth-vid function.  With port-based authentication, the port can only belong to one VLAN, so it cannot be a member of both an auth-vid and an unauth-vid.  The solution is to use user-based authentication on the switch, which allows each user to be authenticated separately, using separate authentication methods and placed into different vlans, if desired.  Here's the required steps if you want to configure ports 10 and 11:

 

vlan 10
   untag 10-11
   ip address 10.1.1.10 255.255.255.0  
   exit

radius-server host 10.1.1.20 key secret
 
aaa port-access authenticator 10-11
aaa port-access authenticator 10 client-limit <a number greater than 1>
aaa port-access authenticator 11 client-limit <a number greater than 1>

aaa port-access authenticator 10-11  auth-vid <auth vlan #>

aaa port-access authenticator 10-11  unauth-vid <unauth vlan #>

aaa port-access authenticator active
aaa port-access mac-based 10-11
aaa port-access mac-based 10 addr-limit <a number greater than 1>
aaa port-access mac-based 11 addr-limit <a number greater than 1>

aaa port-access mac-based 10-11 auth-vid <auth vlan # >

aaa port-access mac-based 10-11 unauth-vid <unauth vlan # >

 

I personally don't use the switch "auth-vid/unauth-vid" commands, as I allow the radius server to return those values as attributes in the radius accept packet.  I attempted to post detailed instruction on how to do that, but this web site logged me out and dropped the posting.    For more info you can consult the windows support site for win2k8 NAP and NPS:

 


http://technet.microsoft.com/en-us/library/dd125336(WS.10).aspx

http://technet.microsoft.com/en-us/library/dd314170(WS.10).aspx

http://technet.microsoft.com/en-us/library/dd125308(WS.10).aspx

0 Kudos
ISoliman
Super Advisor

‎11-15-2011 01:24 AM

‎11-15-2011 01:24 AM

Re: Assigning tagged VLAN using auth-vid command. Procurve 2610, 802.1x and polycom IP300 passthru t

You can achieve that but you have 3 limited options:

1- tag the ports connected to the phones to VLAN 2 statically and no need for dynamic VLAN assignment for the phones auth.

2 & 3 are the same solution but using different ways, you can assign tagged VLANs dynamically but Microsoft does not support that attribute (the switches support that) so you will need to use IDM plugin in PCM to do that and assign the tagged phones VLAN dynamically, or you will need to use other RADIUS server to do the same, Free RADIUS supports assigning tagged VLANs and it should work fine.
0 Kudos
ISoliman
Super Advisor

‎11-15-2011 01:26 AM

‎11-15-2011 01:26 AM

Re: Assigning tagged VLAN using auth-vid command. Procurve 2610, 802.1x and polycom IP300 passthru t

The details on that option and the Free RADIUS is in the below link which explains all of this:

 

http://wiki.freeradius.org/HP     (thanks to a special friend for this.. M ;) )

 

Kind Regards

Islam

0 Kudos
scifan3
Advisor

‎11-29-2011 02:05 PM

‎11-29-2011 02:05 PM

Re: Assigning tagged VLAN using auth-vid command. Procurve 2610, 802.1x and polycom IP300 passthru t

I've configured this in a test environment where based on the mac address the machine would authenticate and get placed into vlan x, then the user would authenticate and if they passed authentication, they'd get put in vlan y or vlan z if they failed... 802.1x authentication isn't that hard... the challenges came in when dealing with different IP subnets... because the dhcp request is being made while the port is still connected to a different subnet and Windows XP doesn't re-request the DHCP address after the vlan gets swapped.

 

aaa authentication port-access eap-radius
radius-server key <password>
radius-server host <host ip>

 

aaa port-access authenticator <port #>
aaa port-access authenticator <port #> unauth-vid <default vlan id>

aaa port-access authenticator active

Sometimes you have to try multiple times before you succeed.
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.