Comware

 View Only
Back to discussions
Expand all | Collapse all

802.1X Dynamic VLAN Compatibility

This thread has been viewed 4 times

  • 1.  802.1X Dynamic VLAN Compatibility

    Posted Feb 12, 2017 10:51 AM

    Hi all!

    I'd like a simple answer from HP: Which Switch series has the capability to set dynamic vlan assignment in 802.1X?

    Procurve series only? ( I'm inclined to believe "any" procurve is able to do this )

    I've been trying to get it working with OfficeConnect series ( HP1910/1920 series  and 3COM 2829 series ).

    I get the authentication to work, the Guest and Auth-Fail VLANs working correctly.

    I'm using FreeRADIUS server ( simple setup, testing purpose at the moment ), here's my user for trying to assign VLAN100 once authenticated:

    vlan100 Cleartext-Password := "@vlan100"
                3Com-VLAN-Name = VLANTEST100,
               HP-Egress-VLAN-Name = VLANTEST100,
                HP-Egress-VLANID = 100,
                Tunnel-Type = VLAN,
                Tunnel-Medium-Type = IEEE-802,
                Tunnel-Private-Group-Id = 100,
                Egress-VLAN-Name = VLANTEST100,
                Egress-VLANID = 100,
                3Com-User-Access-Level = 3Com-Administrator

     

    I'm looking for second hand, cheap Switches capable of this feature, for my home office lab and I found these modesl ( cheapest first ):

    • HP Procurve A3100 - Jd317a
    • Hp Procurve Switch 2650 - J4899c
    • HP Procurve 1410 - J9561a
    • Hp Procurve E2510g - J9279a

    I'm inclined to buy J9279a... I thinks it's the best money for the bucket. I just want the one with the most features of all series above, including the VLAN assignment function.

     

    Thanks in advance!


    #802.1XDYNAMICVLANRADIUS


  • 2.  RE: 802.1X Dynamic VLAN Compatibility

    Posted Feb 13, 2017 09:34 PM

    Well....

    It turns out it was needed to fine tune freeradius....

     

    Example of working user:

    vlan15 Cleartext-Password := "@vlan15"
    Tunnel-Type = VLAN,
    Tunnel-Medium-Type = IEEE-802,
    Tunnel-Private-Group-Id = 15

     

    in /etc/raddb/eap.conf:

    Into eap/peap, changed use_tunneled_reply = no  to use_tunneled_reply = yes

     

    In /etc/raddb/default and /etc/raddb/inner-tunnel ( not sure if this is really required ):

    # eap {
    # ok = return
    # }
    eap

     

    And it is working with V1910 both 3com brand SFP Plus and HP brand

     

    I've managed to get Windows to authenticate/work correctly as well as my OpenWRT setup.

    My linux box ( Fedora24 ) isn't very happy yet, I still have to debug the issues with TLS.



Related Content