Stack Exchange network consists of 183 Q&A communities including Stack Overflow , the largest, most trusted online community for developers to learn, share their knowledge, and build their careers.
Q&A for work
Connect and share knowledge within a single location that is structured and easy to search.
I am trying to get 802.1X working for me. I want RADIUS server to dynamically assign VLANs to ports based on RADIUS reply attribute for particular user. I have an HP E2620 switch and a FreeRADIUS server. The supplicant is a Windows 8.1 machine
I referred to this document on freeradius website.
What I've done so far:
On FreeRADIUS I created a user with such parameters:
I also tried Tunnel-Pvt-Group-ID instead, but it doesn't work on FreeRADIUS, just barks at me (I saw this on resources for configuring on Microsoft NPS, one of these ) . Also I tried values "802", 802, 6 for tunnel medium type.
Also I tried to use actual VLAN name instead of VLAN-ID as Group ID value. Anyway its datatype is string.
I configured the HP switch to use this RADIUS server for AAA and set this up for port 10:
Port 10 also has untagged VLAN 150 assigned to it: vlan 150 untagged 10 . And I can't get rid of the static assignment
All VLANs listed above are present in switch's VLAN database.
Whenever I plug into this port it asks me for credentials; after I succeed with authentication it just sends me to VLAN150 and if I try to fail I get to VLAN200.
I enabled 802.1X authentication on Windows connection just like described here .
I tried enabling GVRP - it doesn't change anything
Diagnostic/show command output:
Static VLAN assignment for Port 10. VLAN 150 untagged
In show logging I see this:
show port-access authenticator output:
RADIUS user test:
This is what I saw in TCPdump on the RADIUS server. I was capturing outgoing UDP traffic with source port 1812. It's what my switch gets (if it does actually, not sure how to check that...)
After that I unplugged and plugged in the cable and did show debug buffer and here is the copy-paste of it . It's weird, nothing is said about any attributed related to VLAN.
What am I doing wrong?
I've read in a bunch of resources that if the RADIUS assigns a VLAN ID switch uses that in the first place. Then it falls back to Authorized VLAN configured for Port-Access Authenticator if authentication succeeds. If that is not present it assigns Untagged VLAN configured on the port. Why don't I get that behavior?
I kind of start to think the attribute Tunnel-Private-Group-Id is not supported on these switches. It seems every resource refers to Tunnel-Pvt-Group-Id instead (configuring on Microsoft). Too bad I don't have Windows Server to check.
Maybe it's firmware related? Didn't try to upgrade yet, I use RA_15_06_0009.swi and there's RA_15_14_0007.swi out there already
Just tried on a 3500yl-24G-PWR model and still doesn't work. So.. I'd guess, switches just don't get the config from the RADIUS server (or did I use incorrect attributes or operators?). How can I troubleshoot that?
Sign up or log in, post as a guest.
Required, but never shown
By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy .
Stack Exchange network consists of 183 Q&A communities including Stack Overflow , the largest, most trusted online community for developers to learn, share their knowledge, and build their careers.
Q&A for work
Connect and share knowledge within a single location that is structured and easy to search.
I'm configuring an IEEE 802.3ad (LACP) dynamic trunk from a HP Procurve 2412zl (firmware version K.15.07) switch to a HP Proliant DL380 G7 server. The DL380 has 4 NICs and is running Win2008 R2, so I'm teaming the NICs together and leaving everything on the recommended "automatic" setting in the HP NIC configuration tool. The server is one of two, they'll be connected on interfaces F17-F20 and F21-F24 respectively on the switch.
I need the servers in a separate VLAN, here is the configuration for the VLAN:
There is a DHCP-relay into the VLAN 10 from another device beyond interface B21. The Advanced Traffic Management Guide says that in order to run a dynamic LACP trunk on another VLAN besides the DEFAULT_VLAN, you need to first enable GVRP and then use "forbid" to stop the interfaces from automatically joining DEFAULT_VLAN when the dynamic trunk is created. GVRP brings some other stuff with it that I don't want or need, so I disable it with "unknown-vlans disable" on all other interfaces.
Here is how I do it:
The result afterwards looks all successful:
On the Proliant server, the NIC configuration Tool is also indicating that a 802.3ad dynamic trunk has been established.
Everything should be good, but it isn't. The server is not getting an IP-address from the DHCP, which it does if I'm not enabling LACP. If I configure the server to a static IP-address on the VLAN 10 subnet, it can't even ping the switch IP-address, much less anything outside of the VLAN. The switch can't ping the server either.
I did another attempt with F17-F20 tagged, and checking the box "Default Native Tag (VLAN 10)" in the NIC configuration tool on the server, but there was no difference. Does anyone have any idea what I might have missed?
The DHCP server, is it on the same network 172.22.71.3 /24 as the other elements in the VLAN? If not, I think you should specify the DHCP-relay IP address on that VLAN with:
I dont see here where the Dynamic trunk is put into vlan10. you would need a vlan 10 untag trunk Dyn2 or something to that effect. If that doesn't work try creating a static trunk.
On ProCurve switches, dynamic LACP really won't work with VLANs other than VLAN 1.
Something you seem to have overlooked: in your switch console log, the "show lacp" command is acually NOT restricted to VLAN 10, even though you're in the VLAN 10 config context. It simply outputs all dynamic trunks, irrespective of the VLAN configuration.
The GVRP statement from the ProCurve documentation looks like some kind of practical joke... I doubt the person who wrote this actually ever got it working.
Since you're dedicating specific ports to your servers, why not just use static (active) LACP anyway? Then you can assign your Trk trunks to whatever VLAN you like.
Not the answer you're looking for browse other questions tagged vlan hp-proliant lacp ..
Enterprise Networking Design, Support, and Discussion. Enterprise Networking -- Routers, switches, wireless, and firewalls. Cisco, Juniper, Arista, Fortinet, and more are welcome.
I'm trying to setup port based authentication. I have one question that i cant seem to find a solid answer for. Everything I've been looking at so far seems to indicate that the extent of the vlan assignment abilities are either authenticated or unauthenticated. In other words, it seems that there are only one or two vlans that can be used with port based authentication.
I would like to setup a guest vlan for un-authenticated user, and I would like the authenticated users to be assigned to a vlan based on securtiy group. For example, Finance should go to vlan 4, Devs should go to vlan 3, IT should go to vlan 7. Is this sort of thing possible, or do can I only use two vlans when it comes to 802.1x.
Thanks in advance
By continuing, you agree to our User Agreement and acknowledge that you understand the Privacy Policy .
You’ve set up two-factor authentication for this account.
Create your username and password.
Reddit is anonymous, so your username is what you’ll go by here. Choose wisely—because once you get a name, you can’t change it.
Enter your email address or username and we’ll send you a link to reset your password
An email with a link to reset your password was sent to the email address associated with your account
Log in to ask questions, share your expertise, or stay connected to content. Don’t have a login? Join now.
1. 802.1x dynamic vlan compatibility.
I'd like a simple answer from HP: Which Switch series has the capability to set dynamic vlan assignment in 802.1X?
Procurve series only? ( I'm inclined to believe "any" procurve is able to do this )
I've been trying to get it working with OfficeConnect series ( HP1910/1920 series and 3COM 2829 series ).
I get the authentication to work, the Guest and Auth-Fail VLANs working correctly.
I'm using FreeRADIUS server ( simple setup, testing purpose at the moment ), here's my user for trying to assign VLAN100 once authenticated:
vlan100 Cleartext-Password := "@vlan100" 3Com-VLAN-Name = VLANTEST100, HP-Egress-VLAN-Name = VLANTEST100, HP-Egress-VLANID = 100, Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 100, Egress-VLAN-Name = VLANTEST100, Egress-VLANID = 100, 3Com-User-Access-Level = 3Com-Administrator
I'm looking for second hand, cheap Switches capable of this feature, for my home office lab and I found these modesl ( cheapest first ):
I'm inclined to buy J9279a... I thinks it's the best money for the bucket. I just want the one with the most features of all series above, including the VLAN assignment function.
Thanks in advance!
It turns out it was needed to fine tune freeradius....
Example of working user:
vlan15 Cleartext-Password := "@vlan15" Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 15
in /etc/raddb/eap.conf:
Into eap/peap, changed use_tunneled_reply = no to use_tunneled_reply = yes
In /etc/raddb/default and /etc/raddb/inner-tunnel ( not sure if this is really required ):
# eap { # ok = return # } eap
And it is working with V1910 both 3com brand SFP Plus and HP brand
I've managed to get Windows to authenticate/work correctly as well as my OpenWRT setup.
My linux box ( Fedora24 ) isn't very happy yet, I still have to debug the issues with TLS.
© Copyright 2024 Hewlett Packard Enterprise Development LP All Rights Reserved.
> Configuring static VLAN per-port settings |
|
[no] vlan vid
This command, used with the options listed below, changes the name of an existing static VLAN and the per-port VLAN membership settings.
You can use these options from the configuration level by beginning the command with , or from the context level of the specific VLAN by just entering the command option. | |
tagged port-list
Configures the indicated port as Tagged for the specified VLAN. The no version sets the port to either No or (if GVRP is enabled) to Auto .
untagged port-list
Configures the indicated port as Untagged for the specified VLAN. The no version sets the port to either No or (if GVRP is enabled) to Auto .
forbid port-list
Used in port-based VLANs configures port-list as forbidden, to become a member of the specified VLAN, and other actions. Does not operate with option not allowed protocol VLANs. The no version sets the port to either No or (if GVRP is enabled) to Auto .
auto port-list
Available if GVRP is enabled on the switch. Returns the per-port settings for the specified VLAN to Auto operation. Auto is the default per-port setting for a static VLAN if GVRP is running on the switch.
Changing the VLAN name and set ports to tagged
Suppose there is a VLAN named VLAN100 with a VID of 100, and all ports are set to No for this VLAN. To change the VLAN name to Blue_Team and set ports A1 - A5 to Tagged, use the following commands:
Moving the context level
To move to the vlan 100 context level and execute the same commands:
Changing tagged ports
To change the tagged ports in the above examples to No (or Auto , if GVRP is enabled), use either of the following commands.
At the global configuration level, use:
At the VLAN 100 context level, use:
You cannot use these commands with dynamic VLANs. Attempting to do so results in the message and no change occurs. | |
You can administratively disable the IP address on specified VLANs with static IP addresses without removing the Layer 3 configuration. The switch can be pre-configured as a backup router, then quickly transition from backup to active by re-enabling Layer 3 routing on one or more VLANs. While the switch is in “backup” mode, it will still performing Layer 2 switching.
A MIB object will be toggled to make Layer 3 routing active or inactive on a VLAN.
This feature affects management access to the switch as follows:
IP—SNMP, Telnet, SSH, HTTP, TFTP, SCP, SFTP
Routing—RIP, OSPF, PIM, VRRP
When the disable layer3 command is configured on a VLAN, the behavior is as if no IP address were configured for that VLAN. There is no other change in behavior.
[ no ] disable layer3 vlan [ vid vid range ]
In the configuration context, turns off Layer 3 routing for the specified VLAN or VLANs. When executed in vlan context, turns off Layer 3 routing for that VLAN. The no form turns on Layer 3 routing for the specified VLAN or VLANs. If QinQ is enabled, svlan can be configured as well.
The show ip command displays disabled in the display column if Layer 3 has been disabled, or if the VLAN has no IP configuration. You can tell which is the case by viewing the remaining columns; if there is no IP configuration, the remaining columns are blank.
Viewing a VLAN disabled for Layer 3
For IPv6, the Layer 3 Status field displays the status of Layer 3 on that VLAN.
Viewing IPv6 Layer 3 status for a VLAN
Disabling Layer 3 functionality and DHCP are mutually exclusive, with DHCP taking precedence over disable layer3 on a VLAN. The following interactions occur:
If the disable layer3 command is executed when DHCP is already configured, no disabling of the VLAN occurs. This error message displays: Layer 3 cannot be disabled on a VLAN that has DHCP enabled .
From the CLI: If disable layer3 is configured already, and an attempt is made to configure DHCP, DHCP takes precedence and will be set. The warning message displays: Layer 3 has also been enabled on this VLAN since it is required for DHCP .
From the CLI: When disabling a range of VLAN IDs, this warning message displays: Layer 3 will not be disabled for any LANs that have DHCP enabled .
From SNMP: If the disable layer3 command is executed when DHCP is already configured, no disabling of the VLAN occurs. An INCONSISTENT_VALUE error is returned.
From SNMP: If disable layer3 is configured already, and an attempt is made to configure DHCP, DHCP takes precedence and will be set.
|
|
|
Converting a dynamic VLAN to a static VLAN |
| Adding or changing a VLAN port assignment (Menu) |
Copyright © 2015 Hewlett-Packard Development Company, L.P.
IMAGES
VIDEO
COMMENTS
From the Main Menu select: 2. Switch Configuration —> 8. VLAN Menu … —> 1. VLAN Support. You see the following screen: The default VLAN support screen. Press E (for Edit) and then do one or more of the following: To change the maximum number of VLANs, enter the new number (1 - 2048 allowed; default 256).
Select the modify button to assign the changes. Configuring VLANs 14-9 To enable spanning tree on a VLAN: 1. Select the modify button next to the port VLAN entry that is to be modified. The user can find a summary listing of all existing VLANs by selecting the show VLAN link from the main menu. 2.
Displaying a switch VLAN configuration. The show vlans command lists the VLANs currently running in the switch, with VID, VLAN name and VLAN status. Dynamic VLANs appear only if the switch is running with GVRP enabled and one or more ports has dynamically joined an advertised VLAN. In the default configuration, GVRP is disabled.
Converting a dynamic VLAN to a static VLAN and then executing the write memory command saves the VLAN in the startup-config file and makes it a permanent part of the switch's VLAN configuration. Within the same broadcast domain, a dynamic VLAN can pass through a device that is not GVRP-aware. This is because a half-duplex repeater, a hub or a ...
On pfsense all additional VLANS (in your screenshot VLAN19 and VLAN20) is always tagged. So what you have to do on the HP switch is: Use one port which is: TAGGED for VLAN19 and VLAN20. UNtagged for VLAN1 (which is your LAN) Then connect this port with your pfsense. This is what you have to do at least.
The clients will use their computer certificate so you will need a running internal certification authority. Choose PEAP only as the authentication method: the next step is for our dynamic VLAN assignment. Dot1x devices are bound to VLAN 2: the final dot1x configuration in the NPS: the second network policy is for the mac-based authentication:
This chapter describes how to configure Virtual LANs (VLANs) on the HP ProCurve 9308M, 9304M, and 6308M-SX routing switches and the 6208M-SX switch. ... VLAN cannot contain both an IP sub-net, IPX network, or AppleTalk cable VLAN and a protocol VLAN for the same protocol. For example, a port-based VLAN cannot contain both an IP protocol VLAN ...
A list of basic commands for HP switches I find helpful. The commands are written for a 5400 running firmware K.15.13.0005, however, should be similar for any switch with a recent firmware release. Notes: <> indicates a changable variable, such as port number or VLAN ID. indicates an optional string or value. value can be either a single port (A1), multiple ports (A1,B3), or a port string (A1 ...
View and Download HP PROCURVE 2610 advanced traffic management manual online. PROCURVE 2610 switch pdf manual download. ... Page 7 Per-Port Options for Dynamic VLAN Advertising and Joining ..3-8 GVRP and VLAN ... All other ports are assigned only to the Default VLAN. Figure 2-16. Example of VLAN Assignments for Specific Ports For information on ...
(VID), and port memb ers. (For dynamic VLANs, refer to ch apter 3, "GVRP" . ) By default, the switches covered by this guide are 802.1Q VLAN-enabled and all ow up to 25 6 sta tic and dynamic VLANs. (The default sta tic VLAN setting is 8). 802.1Q compatibility enables you to assign each switch port to multiple VLANs, if needed. 2-4
A "wr mem" command was issued here to ensure the configuration was saved if the switch is rebooted. To configure an IP address for VLANs 100 and 200, see below: ProCurve Switch 2810-48G# conf t. ProCurve Switch 2810-48G(config)# vlan 100. ProCurve Switch 2810-48G(vlan-100)# ip address 10.15.15.200 255.255.255..
Hey Community, I am trying to configure a new vlan for my network. As of this moment, there are 2 vlans, vlan 1 and vlan 11 vlan 1 name vlan 1 untagged 1-28 ip address 192.168..97 255.255.255. vlan 11 name vlan 11 tagged 1-28 ip address 192.168.11.97 255.255.255. I am try to setup vlan 22 name vlan 22 tagged 1-28 ip address 192.168.22.97 255.255.255. The reason for the new vlan is that I ...
Converts a dynamic, port-based VLAN membership to a static, port-based VLAN membership (allows port-based VLANs only). For this command,vlan-id refers to the VID of the dynamic VLAN membership. Use show vlan to help identify the VID.. This command requires that GVRP is running on the switch and a port is currently a dynamic member of the selected VLAN.
The next step in configuring interVLAN routing is to assign a VLAN ID to the sub-interface. Valid VLAN IDs are in the range of 1 to 4094. Use the native option for the VLAN that will be used as the management VLAN (see optional Step 1 in Table 3). This option specifies that the data for this VLAN will go out untagged.
If the RADIUS server specifies a VLAN for an authenticated supplicant connected to an 802.1X authenticator port, this VLAN assignment overrides any Authorized-Client VLAN assignment configured on the authenticator port. This is because both VLANs are untagged, and the switch allows only one untagged VLAN membership per-port.
Dynamic VLAN assignment is limited by the number of stations per radio (256). The static or dynamic VLAN state is configured per WLAN. You can assign a VLAN ID (a number between 1 and 4,094) to each client after successful authentication using a central RADIUS server. You must configure the VLAN IDs on the RADIUS server for each user authorized ...
I was wondering if anyone has any experience with setting up Radius Controlled Per user VLAN assignments over any HP Procurve MSM720 wireless controllers. and by this I mean single SSID for multiple VLANs Like so SSID = Corp_WIFI - -------> | → user frank > Sales → Vlan 30 - 172.16.33./24 |-> User Jenny > HR - > VLAN 44 - 172.16.72./24 and so on.
2. I'm configuring an IEEE 802.3ad (LACP) dynamic trunk from a HP Procurve 2412zl (firmware version K.15.07) switch to a HP Proliant DL380 G7 server. The DL380 has 4 NICs and is running Win2008 R2, so I'm teaming the NICs together and leaving everything on the recommended "automatic" setting in the HP NIC configuration tool.
Displays detailed VLAN membership information on a per-port basis. Descriptions of items displayed by the command are: Port name. The user-specified port name, if one has been assigned. VLAN ID. The VLAN identification number, or VID. Name. The default or specified name assigned to the VLAN.
I would like to setup a guest vlan for un-authenticated user, and I would like the authenticated users to be assigned to a vlan based on securtiy group. For example, Finance should go to vlan 4, Devs should go to vlan 3, IT should go to vlan 7. Is this sort of thing possible, or do can I only use two vlans when it comes to 802.1x. Thanks in advance
March 5, 2023. HP Procurve 2610 switch issue. Networking. discussion , general-networking. 3. 39. December 16, 2013. I am a newbie to HP Procurve (been using Cisco for a long time, changed jobs and now its all HP) and I have a question. At the core switch I configure the designated voice vlan with the "voice" command to enable LLDP as …
Hi all!I'd like a simple answer from HP: Which Switch series has the capability to set dynamic vlan assignment in 802.1X?Procurve series only? ( I'm inclined to Log in to ask questions, share your expertise, or stay connected to content. Don't have a login? ... HP-Egress-VLAN-Name = VLANTEST100, HP-Egress-VLANID = 100, Tunnel-Type = VLAN, ...
This command, used with the options listed below, changes the name of an existing static VLAN and the per-port VLAN membership settings. NOTE: You can use these options from the configuration level by beginning the command with vlanvid, or from the context level of the specific VLAN by just entering the command option. tagged port-list.