HPE Community
Security e-Series
1848429 Members
5519 Online
104027 Solutions
New Discussion

802.1x & LLDP-MED on same port

 
fmuecher
Occasional Advisor

‎07-22-2015 05:28 AM

‎07-22-2015 05:28 AM

802.1x & LLDP-MED on same port

Hello,

my situation is pretty straightforward: 802.1x authentication (port-based) against a Microsoft NPS with VLAN assignment.

 

Now we are switching over to IP-based telephony and I have the requirement to assign the phones a VLAN, ideally via LLDP. The client is connected to the phone's integrated switch.

 

Each on its own works just fine, but when I combine 802.1x and LLDP on a port, the LLDP negotiation doesn't even seem to start.

 

Is this set-up supported? I would think this is a pretty common use case.

 

 

5400R zl2, Microsoft Server 2012R2 w/ NPS.

 

 

Thanks for your input.

 

0 Kudos
4 REPLIES 4
EricAtHP
Esteemed Contributor

‎07-22-2015 11:01 AM

‎07-22-2015 11:01 AM

Re: 802.1x & LLDP-MED on same port

Ideally, you would want the phone to do 802.1X auth as well as the PC. Do the phones support dot1X?

 

If they do, you can configure NPS to assign a tagged vlan to the phone. There are two methods. The preferred method would be to use an RFC 4675 compliant RADIUS server. Unfortunately NPS isn't one of those. The alternative method is to use a vendor specific attribute in NPS. I have attached a pic of the config of the VSA. Go to your NPS policy - Settings tab - Vendor Specific section and add a new attribut that looks like the picture. Here is the breakdown of the Attribute value, 31000002. The 31 means tagged. The next three zeros, 000, are padding and must be zero. The final 3 characters are the VLAN ID in Hex, VLAN 2 in this case. VLAN 17 would equal 11 (0x11) in Hex.

 

It is also possible to do MAC auth and 802.1X on the same port at the same time both to NPS and have MAC auth assign the tagged VLAN just like described above. 

 

I did find something in the manual that LLDP is not transmitted on ports that are disabled by 802.1X, which would include your phone if it isn't doing 802.1X.

 

You might also check out the Access Security Guide for your 5400R for more information.

0 Kudos
fmuecher
Occasional Advisor

‎07-23-2015 02:43 AM

‎07-23-2015 02:43 AM

Re: 802.1x & LLDP-MED on same port

Hey,

 

the phones support 802.1x, but I wanted to spare myself the hassle of a certificate roll-out to the devices.

 

I did try mac-based authentication - but the phones only support MD5-Chap, which is - please correct me if I'm wrong - not supported anymore on Windows Server 2012 R2.

I know that you could add MD5-Chap on 2008 R2 via additions to the registry, but it seems that Microsoft removed the relevant parts from the raschap.dll altogether.

 

Guess I have to take the long road and do 802.1x on the phones.

 

Thanks for all your efforts.

0 Kudos
Mike_ES
Valued Contributor

‎07-23-2015 05:28 AM

‎07-23-2015 05:28 AM

Re: 802.1x & LLDP-MED on same port

Hi,

 

Looks like you need switches with accepting LLDP packets over a 802.1x (named "lldp-pass-through").

 

As the workaround, do you have a chance to replace your NPS with other application? I think move to certificate roll-out to your devices is the worst case scenario, I would go to new Radius application.

 

Br,

Mike

0 Kudos
fmuecher
Occasional Advisor

‎07-23-2015 06:21 AM

‎07-23-2015 06:21 AM

Re: 802.1x & LLDP-MED on same port

Hello,

 

I went the lazy way...took the raschap.dll from a 2008 R2, copied it to %systemroot%\raschap_2k8r2.dll and edited the corresponding registry entry for md5 authentication.

 

The file is boot safe since I did not replace the original 2012 R2's raschap.dll and mac-based authentication works just fine.

 

I have attached the registry settings  and the 2008 R2's raschap.dll for anybody who stumbles upon the same problem.

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.