Wired Intelligent Edge (Campus Switching and Routing)

Reply
New Contributor

legacy mac authentication

Greetings,

I've recently inherited 2 Hp2530 switches.  I'd like to quickly stand up MAB on these switches while i figure out what to do next.  I've got Mac athentication to work using my ISE server for radius but when i try to add a IP phone to the mix the phone lands in the trusted vlan instead of the voip.  The voice vlan works correctly on ports that aren't configured for mac authenticaton.

config follows

 

Running configuration:

; J9775A Configuration Editor; Created on release #YA.16.02.0012
; Ver #0e:01.10.82.34.47.18.28.f3.84.9c.63.ff.37.27:b9
hostname "Aruba01"
radius-server host 192.168.5.205 key "xxx"
radius-server host 192.168.5.206 key "xxx"
radius-server key "xxx"
radius-server retransmit 2
radius-server tracking enable
timesync ntp
ntp server 192.168.0.150
ntp enable
ip default-gateway 192.168.253.1
snmp-server community "xxx" unrestricted
aaa server-group radius "ISE" host 192.168.5.205
aaa server-group radius "ISE" host 192.168.5.206
aaa authentication telnet login radius server-group "ISE" local
aaa authentication telnet enable radius server-group "ISE" local
aaa authentication allow-vlan tagged
aaa port-access mac-based 2-12
aaa port-access mac-based 1 addr-limit 2
aaa port-access mac-based 1 unauth-period 30
aaa port-access mac-based 2 addr-limit 2
aaa port-access mac-based 2 addr-moves
aaa port-access mac-based 2 unauth-period 30
aaa port-access mac-based 2 auth-vid 160
aaa port-access mac-based 2 unauth-vid 100
aaa port-access mac-based 3 addr-limit 2
aaa port-access mac-based 3 addr-moves
aaa port-access mac-based 3 unauth-period 30
aaa port-access mac-based 3 auth-vid 160
aaa port-access mac-based 3 unauth-vid 100
aaa port-access mac-based 4 addr-limit 2
aaa port-access mac-based 4 addr-moves
aaa port-access mac-based 4 unauth-period 30
aaa port-access mac-based 4 auth-vid 160
aaa port-access mac-based 4 unauth-vid 100
aaa port-access mac-based 5 addr-limit 2
aaa port-access mac-based 5 addr-moves
aaa port-access mac-based 5 unauth-period 30
aaa port-access mac-based 5 auth-vid 160
aaa port-access mac-based 5 unauth-vid 100
aaa port-access mac-based 6 addr-limit 2
aaa port-access mac-based 6 addr-moves
aaa port-access mac-based 6 unauth-period 30
aaa port-access mac-based 6 auth-vid 160
aaa port-access mac-based 6 unauth-vid 100
aaa port-access mac-based 7 addr-limit 2
aaa port-access mac-based 7 addr-moves
aaa port-access mac-based 7 unauth-period 30
aaa port-access mac-based 7 auth-vid 160
aaa port-access mac-based 7 unauth-vid 100
aaa port-access mac-based 8 addr-limit 2
aaa port-access mac-based 8 addr-moves
aaa port-access mac-based 8 unauth-period 30
aaa port-access mac-based 8 auth-vid 160
aaa port-access mac-based 8 unauth-vid 100
aaa port-access mac-based 9 addr-limit 2
aaa port-access mac-based 9 addr-moves
aaa port-access mac-based 9 unauth-period 30
aaa port-access mac-based 9 auth-vid 160
aaa port-access mac-based 9 unauth-vid 100
aaa port-access mac-based 10 addr-limit 2
aaa port-access mac-based 10 addr-moves
aaa port-access mac-based 10 unauth-period 30
aaa port-access mac-based 10 auth-vid 160
aaa port-access mac-based 10 unauth-vid 100
aaa port-access mac-based 11 addr-limit 2
aaa port-access mac-based 11 addr-moves
aaa port-access mac-based 11 unauth-period 30
aaa port-access mac-based 11 auth-vid 160
aaa port-access mac-based 11 unauth-vid 100
aaa port-access mac-based 12 addr-limit 2
aaa port-access mac-based 12 addr-moves
aaa port-access mac-based 12 unauth-period 30
aaa port-access mac-based 12 auth-vid 160
aaa port-access mac-based 12 unauth-vid 100
aaa port-access mac-based addr-format multi-colon
lldp top-change-notify 2-48
lldp enable-notification 2-48
vlan 1
name "DEFAULT_VLAN"
no untagged 1-52
no ip address
disable layer3
exit
vlan 100
name "VLAN100"
tagged 1
ip address 192.168.253.194 255.255.255.192
ip helper-address 192.168.5.205
ip helper-address 192.168.5.206
exit
vlan 160
name "VLAN160"
untagged 2-52
tagged 1
ip address 192.168.253.4 255.255.255.128
ip helper-address 192.168.5.205
ip helper-address 192.168.5.206
exit
vlan 260
name "VOIP"
tagged 1-48
ip address dhcp-bootp
voice
exit
spanning-tree
spanning-tree mode rapid-pvst
no spanning-tree extend system-id
no tftp server
no dhcp config-file-update
no dhcp image-file-update
no dhcp tr69-acs-url
password manager

Regular Contributor II

Re: legacy mac authentication

With this config and no vlan ‘pushed’ back to the switch from ISE the phone will be put in the auth vlan 160.

As the vlan 260 on the switch is tagged on all ports and voice is set, your phone will probably use lldp-med to find the voice vlan and use a tagged vlan, if no MAC auth is active on the port.
You need to setup the ISE server (or use ClearPass 🙊) to answer in the radius request with a tagged vlan 260.

Good luck
Cheers, Frank
Aruba Partner Ambassador| AMFX#22| ACCX#613| ACMX#733| ACDX#744

If you like my posts, kudo's are welcome. If it solves your problem, please click 'Accept as Solution'
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: