Security

Hi

Im trying to get Clearpass return HP-Egress-VLANID attribute to indicate a TAGGED VLAN association for the client device.

According to RFC this value is in bits- http://wiki.freeradius.org/vendor/HP#procurve-port-authentication-special-features_dynamic-vlan-assignment_rfc-4675-multiple-tagged-untagged-vlan-assignment

ClearPass only accepts unsigned integer.. as indicated in its below error message.

Can someone guide me on how to set this attribute to return a vlan-301 as TAGGED?

Thanks

Ram

Got it working.. simply converted HEX into decimal value:

HEX 3100012D = DECIMAL 822083885

CP-2530(config)# sh port-access mac-based 23 client det

Port Access MAC-Based Client Status Detailed

Client Base Details :
Port : 23
Client Status : authenticated Session Time : 236 seconds
MAC Address : 00e0bb-22b814 Session Timeout : 0 seconds
IP : n/a

Access Policy Details :
COS Map : Not Defined In Limit Kbps : Not Set
Untagged VLAN : Not Set
Tagged VLANs : 301
Port Mode : 1000FDx
RADIUS ACL List : No Radius ACL List

Regards

Ram

Not working for me...

I can use decimal value and that VSA to send untagged vlan.. but doesn't seem to be working for tagged...  I think it's the switch.

It'd be great to get some radius debug from HPE OS.. do you have any clues ?

In retrospect.. mine's not working for untagged either...

I'm doing this on a brand new 2530, running Software revision  : YB.16.01.000..

FYI.. if anyone wants to pipe in and provide some feedback..

Instead of the HP-Egress-VLANID you can also use now "HPE-Egress-VLAN-Name = 1VOICE".

Use "1" in front of the Vlan name if you want to use a tag en use "2" for untagging.

I never commented back on this thread after I raised it..

I ended up finding out that I think the switch software needs to support RFC4675 to be able to support parsing RADIUS attribute tagged vlan id.

https://tools.ietf.org/html/rfc4675.

That was my issue at the time.. The HPE switch model explicitly lacked RFC4675 support, where as other models higher up in the portfolio did support it.

Aka, the 2530 does not support RFC4675.

Where did you find the info that the 2530's don't support RFC4675?  Is there a list somewhere of switches that do and don't support it?  I have a variety of switch models in my environmnet and I'm trying to figure out how many of them this will actually work for.

That was two years ago.. maybe with some re-invigoration .. new OS release they might.. but pretty sure they were trying to clamp down on low end models doing everything.. just purely to push people up the footprint/form factor stack.  I just searched the datasheet online.

https://support.hpe.com/hpesc/public/home/productSelector?psiTask=manuals&sp4ts.oid=5333803 and string searched my way through the 'support protocols' section for '4675'

old thread but just wanted to share that some time ago i had tagged VLAN and non tagged VLAN (voice and data setup) work on both 2620 and 2530 (firmware RA.15.10.0013).

[edit] method mentioned by networkingsire used.