HPE Community
HPE Aruba Networking & ProVision-based
1832525 Members
8048 Online
110043 Solutions
New Discussion

Re: HP 5412zl concurrent MAC and 802.1X authentication - how to configure it right?

 
MarcisB
Occasional Advisor

‎11-13-2013 11:47 PM - last edited on ‎11-24-2013 06:33 PM by

‎11-13-2013 11:47 PM - last edited on ‎11-24-2013 06:33 PM by

HP 5412zl concurrent MAC and 802.1X authentication - how to configure it right?

Hello. I am trying to set up 5412 to use MAC and 802.1X RADIUS authentication on the same port.

PC using 802.1X authentication is connected behind Cisco IP phone which will use MAC authentication.

HPs own iMC UAM is used as RADIUS server.

I've been able to successfully configure separate MAC and 802.1X authentication on separate ports to verify that it works.

But as soon as i try to combine them both it does not work. Seems i am missing something. 

From what i see on RADIUS server, in capture, switch wants to authenticate PC using MAC authentication which is rejected by RADIUS server for obvious reasons - there is no PCs MAC address registered which i don't want to. PC should use 802.1X

 

I attached switch config file.  VLAN 570 is data VLAN for PCs. VLAN 569 is voice VLAN for phones.

VLAN666 ir dummy vlan to drop unauthorized clients.

10.32.12.74 - iMC UAM RADIUS.

Concurrent authentication port is A3.

 

Can you please point me the right way? What i am missing?

 

P.S. This thread has been moved from Switches, Hubs, Modems (Legacy ITRC forum) to ProCurve / ProVision-Based. -HP Forum Moderator

0 Kudos
2 REPLIES 2
Curving_pro
Occasional Visitor

‎11-21-2013 07:20 AM

‎11-21-2013 07:20 AM

Re: HP 5412zl concurrent MAC and 802.1X authentication - how to configure it right?

how do you split the traffic of the pc from the traffic of the phone?
I don't understand from you config, how you separate that traffic.
Also 1 port cannot be untagged in 2 vlans (voice and data vlan)
maybe it is the mixed mode qinq vlan thingy, that we don't use.


We are using the same procurves, also with ip phones and pc's behind it.
If we take port A3 as example. We have the interface A3 tagged in the voice vlan.
For the pc behind the phone, the same port A3 is untagged in the data vlan.

Also the port access authenticator can be configured for the untagged vlan. You didn't do this.
(which keeps de ip phone working, without a pc behind it)
When connecting a pc or laptop, that device (actually the untagged vlan) is kept on the unauthorized vid (666)
after successfull authentication, the untagged vlan is changed to the authorized vid (570)


The trick as I should have done it:
(only A3 is the port to follow in this config)



Running configuration:

aaa port-access authenticator A3 auth-vid 570
aaa port-access authenticator A3 unauth-vid 666
aaa port-access authenticator active
aaa port-access mac-based A3
aaa port-access mac-based A3 addr-limit 2
aaa port-access mac-based A3 auth-vid 570
aaa port-access mac-based A3 unauth-vid 666

vlan 569
   name "VLAN569"
   tagged A3
   no ip address
   voice
   exit
vlan 570
   name "VLAN570"
   untagged A13
   tagged A1
   ip address 10.32.13.100 255.255.255.248
   exit
vlan 666
   name "VLAN666"
   untagged A3
   no ip address
   exit




0 Kudos
RahimAbdulRehma
Visitor

‎11-24-2017 08:53 PM - edited ‎11-24-2017 08:55 PM

‎11-24-2017 08:53 PM - edited ‎11-24-2017 08:55 PM

Re: HP 5412zl concurrent MAC and 802.1X authentication - how to configure it right?

If we apply the same configuration as you suggested then IP Phone never authenticate and only pc authenticate? We tag the voice vlan already.

My requirement is to authenticate PC only and not IP Phone.
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.