HPE Community
Security e-Series
1752682 Members
5448 Online
108789 Solutions
New Discussion

802.1X Dynamic VLAN Compatibility

 
SOLVED
Go to solution
msilveirabr
Occasional Contributor

‎02-12-2017 07:51 AM

‎02-12-2017 07:51 AM

802.1X Dynamic VLAN Compatibility

Hi all!

I'd like a simple answer from HP: Which Switch series has the capability to set dynamic vlan assignment in 802.1X?

Procurve series only? ( I'm inclined to believe "any" procurve is able to do this )

I've been trying to get it working with OfficeConnect series ( HP1910/1920 series  and 3COM 2829 series ).

I get the authentication to work, the Guest and Auth-Fail VLANs working correctly.

I'm using FreeRADIUS server ( simple setup, testing purpose at the moment ), here's my user for trying to assign VLAN100 once authenticated:

vlan100 Cleartext-Password := "@vlan100"
            3Com-VLAN-Name = VLANTEST100,
           HP-Egress-VLAN-Name = VLANTEST100,
            HP-Egress-VLANID = 100,
            Tunnel-Type = VLAN,
            Tunnel-Medium-Type = IEEE-802,
            Tunnel-Private-Group-Id = 100,
            Egress-VLAN-Name = VLANTEST100,
            Egress-VLANID = 100,
            3Com-User-Access-Level = 3Com-Administrator

 

I'm looking for second hand, cheap Switches capable of this feature, for my home office lab and I found these modesl ( cheapest first ):

  • HP Procurve A3100 - Jd317a
  • Hp Procurve Switch 2650 - J4899c
  • HP Procurve 1410 - J9561a
  • Hp Procurve E2510g - J9279a

I'm inclined to buy J9279a... I thinks it's the best money for the bucket. I just want the one with the most features of all series above, including the VLAN assignment function.

 

Thanks in advance!

0 Kudos
1 REPLY 1
msilveirabr
Occasional Contributor

‎02-13-2017 06:34 PM

‎02-13-2017 06:34 PM

Solution

Re: 802.1X Dynamic VLAN Compatibility

Well....

It turns out it was needed to fine tune freeradius....

 

Example of working user:

vlan15 Cleartext-Password := "@vlan15"
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-Id = 15

 

in /etc/raddb/eap.conf:

Into eap/peap, changed use_tunneled_reply = no  to use_tunneled_reply = yes

 

In /etc/raddb/default and /etc/raddb/inner-tunnel ( not sure if this is really required ):

# eap {
# ok = return
# }
eap

 

And it is working with V1910 both 3com brand SFP Plus and HP brand

 

I've managed to get Windows to authenticate/work correctly as well as my OpenWRT setup.

My linux box ( Fedora24 ) isn't very happy yet, I still have to debug the issues with TLS.

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.