- Community Home
- >
- Networking
- >
- Legacy
- >
- Switches, Hubs, Modems
- >
- 802.1x question combined tagged/untagged port
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-28-2008 06:03 AM
тАО11-28-2008 06:03 AM
802.1x question combined tagged/untagged port
We have several VoIP-Phones connected to our switches. They alle are in a VoIP Vlan which is tagged to the switch.
The Workstations are conected to the VOIP Phone and their VLAN is untagged on the Switch Port.
What will happen if I activate 802.1x on this switchport? Must the IP-Phone authenitcate or does only the Workstation do it?
I will only realize that the Workstation will be authenticated while 802.1x.
Thanx for helping.
Kind Regards.
Alen Ahja
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-28-2008 06:22 AM
тАО11-28-2008 06:22 AM
Re: 802.1x question combined tagged/untagged port
two advice for you
1- go to unauthentication user dynamically assing voip vlan whit 802.1x config
for example config
vlan 1
name "DEFAULT_VLAN"
untagged 1-26
ip address 10.0.0.1 255.255.255.0
exit
vlan 3
name "voip"
ip address 192.168.1.1 255.255.255.0
exit
aaa authentication port-access eap-radius
aaa accounting network start-stop radius
radius-server host 10.0.0.2 key procurve
aaa port-access authenticator 1-10
aaa port-access authenticator 1 unauth-vid 3
aaa port-access authenticator 2 unauth-vid 3
aaa port-access authenticator 3 unauth-vid 3
aaa port-access authenticator 4 unauth-vid 3
aaa port-access authenticator 5 unauth-vid 3
aaa port-access authenticator 6 unauth-vid 3
aaa port-access authenticator 7 unauth-vid 3
aaa port-access authenticator 8 unauth-vid 3
aaa port-access authenticator 9 unauth-vid 3
aaa port-access authenticator 10 unauth-vid 3
aaa port-access authenticator active
aaa port-access 1-10
this config all authentication user go to vlan 1 and all unauthentication users go to vlan 3 not need tag port all port waiting vlan 1 untag member
but this process very dancer because all malicious user go to dynamically voip vlan
2- connect ip phone voip vlan untag port
namely connect different switch port ip phone
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-28-2008 10:56 AM
тАО11-28-2008 10:56 AM
Re: 802.1x question combined tagged/untagged port
1) if you config a port for 802.1X, bascially each device/user (mac addr) should auth via 802.1X........however, lots of VoIP phones don't support 802.1X...
2) you can config the switch like you describe - tag the port in the voip vlan and untag wherever, but until the computer authenticates, the phone won't work - unless you do like cenk suggested with the unauth-vid......but like he said, you then open the port for attack on a vlan that doesn't require authentication, so i never recommend this option...
3) the next best option would be to chose phones that can do 802.1X...tag the port in the voip vlan, untag the port into a non-use vlan...when the phone auth's, 802.1X will open the port and the phone will work in tagged mode, and then when the computer/user auth's have the user vlan dynamically assigned via radius to the switch...
4) the best option of all, use a ProVision ASIC switch (3500/6200/5400/8212) and WindowsServer2008-NAP or freeRADIUS v2.x+ and then you can dynamically assign the vlan for voip -and- set it to tagged as well from radius (this is an enhancement to 802.1X called RFC-4675, that's why you need a newer asic switch and newer radius server)...and then when the computer/user auth's have the user vlan dynamically assigned via radius to the switch...
5) or like cenk said, put phone in 1 port and pc in another...
--------
btw, when you configure the switch to support 802.1X and you connect mulitple devices to a port (pc and phone), you need to add a parm to the config:
aaa port-access authenticator 19 client-limit 3
...client-limit = 1 for the pc, and 2 for the phone (if it starts in untag state then moves to tag after it gets its config)...this is not very well documented...but i now from experience...the default is set to client-limit 1...
hth...jeff
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-29-2008 03:40 AM
тАО11-29-2008 03:40 AM
Re: 802.1x question combined tagged/untagged port
thanx for the lot of informations.
I found now the infomrations that the IP Phones work as multisuplicant. But they can only authenticate with EAP-MD5.
All IP-Phones are connected to 2610-48-PWR Switches so we cannot take the Option with the newset ASIC and W2k8.
The way which Cenk has described is not accectable because it's not secure. Unauth access will go in the guest VLAN with additional authentication. So we need to try out the behavior of all components I think.
Alen
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-29-2008 10:05 AM
тАО11-29-2008 10:05 AM
Re: 802.1x question combined tagged/untagged port
even tho the phone can only do EAP-MD5, that is way better than putting their ports in an unauth vlan first...
my recommendation:
1) auth the phones with what they can do
2) tag the phone ports in the voip vlan
2) auth the computers with stronger encryption
3) create a "dead/non-use" vlan for the unauth state, and also untag all computer/phone ports into that vlan...that way no matter what connects, it must auth via 802.1X
4) control the access of the voip vlan (in & out) with acl's to restrict access only to what's needed
this is the way i do 802.1X with voip/data combo connections...
ps, don't forget the 'client-limit 3' config...
hth...jeff