HPE Community
Switches, Hubs, and Modems
1823924 Members
3493 Online
109667 Solutions
New Discussion юеВ

BUG: ProCurve Switch 2510G-48, DHCP problem with 802.1X authenticated VLAN / public VLAN otherwise

 
SysCo al
New Member

тАО05-25-2011 09:41 AM

тАО05-25-2011 09:41 AM

BUG: ProCurve Switch 2510G-48, DHCP problem with 802.1X authenticated VLAN / public VLAN otherwise

Hello,

Here is the problem:

Material: ProCurve Switch 2510G-48
Firmware: 11/17/09 Y.11.16

We want to have 802.1X VLAN authentication, and if no authentication is correct, we want to have a public VLAN.

Here is the configuration:

vlan 1
name "DEFAULT_VLAN"
no ip address
no untagged 1-48
exit
vlan 2
name "PUBLIC_VLAN"
no ip address
exit
vlan 3
name "PRIVATE_VLAN"
untagged 1-48
ip address 192.168.3.1 255.255.255.0
exit

aaa authentication port-access eap-radius
radius-server host 192.168.3.2 key mysecretkey
primary-vlan 3
aaa port-access authenticator 1
aaa port-access authenticator 1 auth-vid 3
aaa port-access authenticator 1 unauth-vid 2
aaa port-access authenticator active

Let's do the test on port 1. Once authentication is done and ok (VLAN 3), the DHCP Discovery broadcasted packet is sent (and received by the DHCP server in the VLAN 3), but the DHCP Offer broadcasted answer packet is never going back to the machine.

If we are not authenticated (VLAN 2), everything is working fine, the second DHCP in the VLAN 2 receive the Discovery, send the Offer, receive the Request and send the Acknoledgement packet.

If we connect the machine to the port 2 (always on VLAN 3), the DHCP protocol is working well with the DHCP server in the VLAN 3.

After sniffing everything in any directions, we discovered that ALL broadcast traffic is never going through an authenticated port, BUT this only if the authenticated port is in the same VLAN as the switch management VLAN ! We didn't find any filter that can be removed or setup.

Any suggestion welcome, we have spend hours and hours in our configuration, but this is for sure a bug, not a configuration problem.

Does anybody have a success to do a 802.1X authentication with working DHCP IP distribution in the VLAN of the managed switch with this firmware 11/17/09 Y.11.16 ?

We have tried downgrading to version 11.12 and it works ! But as a lot of other stuffs have been fixed in 11.16, we would be happy to have a new fixed release for our brand new switch (bought a few weeks ago).

Thanks in advance for your support.

Regards,

Andr├й
0 Kudos
4 REPLIES 4
cenk sasmaztin
Honored Contributor

тАО05-27-2011 05:00 AM

тАО05-27-2011 05:00 AM

Re: BUG: ProCurve Switch 2510G-48, DHCP problem with 802.1X authenticated VLAN / public VLAN otherwise

upgrade your switch y.11.18
cenk

0 Kudos
SysCo al
New Member

тАО05-27-2011 05:26 AM

тАО05-27-2011 05:26 AM

Re: BUG: ProCurve Switch 2510G-48, DHCP problem with 802.1X authenticated VLAN / public VLAN otherwise

Hello,

It's a good idea, but I don't find any Y 11.18 version on the ProCurve website (https://h10145.www1.hp.com/Downloads/SoftwareReleases.aspx?ProductNumber=J9280AтМй=en,en&cc=us,us&prodSeriesId=3356807)

Any advise welcome

Regards

Andr├Г┬й
0 Kudos
Steve Woodward_2
Advisor

тАО05-27-2011 07:40 AM

тАО05-27-2011 07:40 AM

Re: BUG: ProCurve Switch 2510G-48, DHCP problem with 802.1X authenticated VLAN / public VLAN otherwise

Yes, contact Procurve support and request the latest software for your switch. Also request the associated release notes, which they probably won't provide by default. You should see many AAA/802.1x related bug fixes. It appears they are not publicly posting switch software that only contains bug fixes, just new features.

Another thought is, I beleive this line of your config is redundant:
aaa port-access authenticator 1 auth-vid 3

You have already set port 1 as untagged on VLAN 3. It should work, but I would try removing it to see if it has any impact.
0 Kudos
SysCo al
New Member

тАО05-30-2011 12:49 PM

тАО05-30-2011 12:49 PM

Re: BUG: ProCurve Switch 2510G-48, DHCP problem with 802.1X authenticated VLAN / public VLAN otherwise

Thanks for the advise, ticket opened by ProCurve support.

Regards,

Andre
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.