02-29-2016 04:10 PM
Im trying to get Clearpass return HP-Egress-VLANID attribute to indicate a TAGGED VLAN association for the client device.
According to RFC this value is in bits- http://wiki.freeradius.org/vendor/HP#procurve-port-authentication-special-features_dynamic-vlan-assignment_rfc-4675-multiple-tagged-untagged-vlan-assignment
ClearPass only accepts unsigned integer.. as indicated in its below error message.
Can someone guide me on how to set this attribute to return a vlan-301 as TAGGED?
Solved! Go to Solution.
02-29-2016 04:45 PM
Got it working.. simply converted HEX into decimal value:
HEX 3100012D = DECIMAL 822083885
CP-2530(config)# sh port-access mac-based 23 client det
Port Access MAC-Based Client Status Detailed
Client Base Details :
Port : 23
Client Status : authenticated Session Time : 236 seconds
MAC Address : 00e0bb-22b814 Session Timeout : 0 seconds
IP : n/a
Access Policy Details :
COS Map : Not Defined In Limit Kbps : Not Set
Untagged VLAN : Not Set
Tagged VLANs : 301
Port Mode : 1000FDx
RADIUS ACL List : No Radius ACL List
06-09-2016 08:49 AM
Not working for me...
I can use decimal value and that VSA to send untagged vlan.. but doesn't seem to be working for tagged... I think it's the switch.
It'd be great to get some radius debug from HPE OS.. do you have any clues ?
06-10-2016 01:24 AM
I'm doing this on a brand new 2530, running Software revision : YB.16.01.000..
FYI.. if anyone wants to pipe in and provide some feedback..
09-01-2016 03:19 AM
Instead of the HP-Egress-VLANID you can also use now "HPE-Egress-VLAN-Name = 1VOICE".
Use "1" in front of the Vlan name if you want to use a tag en use "2" for untagging.
09-01-2016 06:20 PM
I never commented back on this thread after I raised it..
I ended up finding out that I think the switch software needs to support RFC4675 to be able to support parsing RADIUS attribute tagged vlan id.
That was my issue at the time.. The HPE switch model explicitly lacked RFC4675 support, where as other models higher up in the portfolio did support it.