HPE Community
Switches, Hubs, and Modems
1821587 Members
5001 Online
109633 Solutions
New Discussion юеВ

procurve 2650 - 802.1x multi user

 
asjdfds
New Member

тАО09-24-2009 03:47 AM

тАО09-24-2009 03:47 AM

procurve 2650 - 802.1x multi user

hi,

I am using a procurve 2650 H.10.74 with 802.1x on port 1.

If I connect a voip phone on port 1 it works without any problems.
If I connect a pc on port 1 it works also.

But then I connect a pc on the second port of the phone it does not work.
On the switch no errors will be logged. On the radius server I see that both devices (phone & pc) get access.

If I disable 802.1x it works without any problems.

My config:

; J4899B Configuration Editor; Created on release #H.10.74

hostname "test"
time timezone 2
no telnet-server
interface 1
no lacp
exit
interface 2
no lacp
exit
ip default-gateway 10.1.1.1
sntp server 10.1.1.26
timesync sntp
sntp unicast
snmp-server community "public" Unrestricted
vlan 1
name "DEFAULT_VLAN"
no ip address
no untagged 1-50
exit
vlan 2
name "LAN"
untagged 1-50
ip address 10.1.1.123 255.255.255.0
exit
vlan 3
name "voip"
tagged 1-50
voice
exit
vlan 51
name "LAN_UNAUTH"
tagged 3-50
exit
aaa authentication port-access eap-radius
radius-server host 10.1.1.50
primary-vlan 2
aaa port-access authenticator 1
aaa port-access authenticator 1 max-requests 10
aaa port-access authenticator 1 reauth-period 3600
aaa port-access authenticator 1 client-limit 3
aaa port-access authenticator active
ip ssh
password manager


any ideas why my setup is not working?
0 Kudos
8 REPLIES 8
cenk sasmaztin
Honored Contributor

тАО09-24-2009 04:20 AM

тАО09-24-2009 04:20 AM

Re: procurve 2650 - 802.1x multi user

please test and say me result

; J4899B Configuration Editor; Created on release #H.10.74

hostname "test"
time timezone 2
no telnet-server
interface 1
no lacp
exit
interface 2
no lacp
exit
ip default-gateway 10.1.1.1
sntp server 10.1.1.26
timesync sntp
sntp unicast
snmp-server community "public" Unrestricted
vlan 1
name "DEFAULT_VLAN"
no ip address
no untagged 1-50
exit
vlan 2
name "LAN"
untagged 1-49
ip address 10.1.1.123 255.255.255.0
exit
vlan 3
name "voip"
tagged 1-49
voice
exit
vlan 51
name "LAN_UNAUTH"
untagged 50
exit
aaa authentication port-access eap-radius
radius-server host 10.1.1.50 key xxxxxxx
aaa port-access authenticator 1
aaa port-access authenticator 1 client-limit 3
aaa port-access authenticator active
aaa port-access authenticator 1 unauth-vid 51
ip ssh
password manager

cenk

0 Kudos
asjdfds
New Member

тАО09-24-2009 04:54 AM

тАО09-24-2009 04:54 AM

Re: procurve 2650 - 802.1x multi user

thanks for your quick reply.

i changed my config, but this does not solve my problem
0 Kudos
gunnarwb
Occasional Contributor

тАО09-24-2009 05:05 AM

тАО09-24-2009 05:05 AM

Re: procurve 2650 - 802.1x multi user

I'd try messing around with the "tags" the, phone is actually a switch so any VLANs you need behind it (for the PC) would need to be tagged. so:

vlan 2
tagged 1

Basically I thought when dealing with VOIP phones you were supposed to tag pretty much everything.
0 Kudos
asjdfds
New Member

тАО09-24-2009 06:38 AM

тАО09-24-2009 06:38 AM

Re: procurve 2650 - 802.1x multi user

I tagged vlan 2 on port 1
phone works - pc does not work
0 Kudos
gunnarwb
Occasional Contributor

тАО09-24-2009 09:14 AM

тАО09-24-2009 09:14 AM

Re: procurve 2650 - 802.1x multi user

Some other things to try:

gvrp
aaa port-access gvrp-vlans

Also, for giggles remove all those extra settings you have:

aaa port-access authenticator 1 max-requests 10
aaa port-access authenticator 1 reauth-period 3600
aaa port-access authenticator 1 client-limit 3

The client limit is probably needed, but kill it anyway, see what happens.

On other thing to try,

vlan 3
tagged 1
0 Kudos
gunnarwb
Occasional Contributor

тАО09-24-2009 09:20 AM

тАО09-24-2009 09:20 AM

Re: procurve 2650 - 802.1x multi user

actually I know for a fact I'm wrong about the client-limit so leave that at 3, but tag both VLANS. CHeck out this article:

http://h40060.www4.hp.com/procurve/includes/application-notes/index.php?cc=ru&lc=ru&content=ans9-en
0 Kudos
Jeff Carrell
Honored Contributor

тАО09-24-2009 07:47 PM

тАО09-24-2009 07:47 PM

Re: procurve 2650 - 802.1x multi user

do you have a "secret key" or "shared secret" defined on the radius server - for the switch as the client?

if so, it looks like in your config you do not have the radius server key defined...

i have seen in labs where having no radius key on the switch, or incorrect between the server and the switch it not work...logs look good, switch does not function...

but it doesn't explain why it does work at an individual level...hmmm...

and yes the client-limit must be set...default is set to "1"...for VoIP phones to auth and possibly go from untagged to tagged (2 auth steps) -and- a computer to also auth as untagged, client-limit needs to be at 3....

otherwise, switch config looks good to me...

another comment, in the remote access policy on your radius server, if you send back the vlan id to the switch, the switch must have that vlan id defined (either static or dynamic [GVRP]) to work...if the switch receives a vlan id assignment for an auth port and does not have the vlan id on it, that session will be "un-auth'd"...not the port, just that mac addr...

hth...jeff
0 Kudos
asjdfds
New Member

тАО09-25-2009 12:20 AM

тАО09-25-2009 12:20 AM

Re: procurve 2650 - 802.1x multi user

i played around with the vlans and vgrp-vlan, but this does not changed anything.


i took my config from the first post and configured on a 5412zl, revision K.14.41, ROM K.12.20

on the 5412zl it worked with the pc behind the phone.

but why does it not work on a 2650?
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.