HPE 5510 48G PoE Switch - DOT1.X Authentication: Radius Returned A Untagged VLAN Attribute

By esupport posted Jun 04, 2019 07:36 PM

  
Problem:

Issues:

1.  Port security related events (dot1x, mac-auth) are not logged

2.  Name based untagged VLAN attribution does NOT work.
 



Diagnostics:

Our network mostly uses 5500 EI and HI models.  We hav e new 5510 models and while testing the config, we encountered issues with VLAN attribution.
We attribute the untagged VLANs based on the name with Radius Attribute: Tunnel-Private-Group-ID.

If we use the ID it works but we need to use the name.

Logging :

While on the console with terminal monitor, we don't see any logs about Port Security.  This works on the 5510 version with code R1122P02, but does not work after upgrading to version R1309P03.

 



Solution

Issue #1 - port security related events (dot1x, mac-auth) are not logged


To enable logging for each one run the following commands.

[HPE] port-security access-user log enable
[HPE] dot1x access-user log enable
[HPE] mac-authentication access-user log enable
 
Issue #2 - Cause: name based untagged VLAN attribution does NOT work


It was found that the radius server send a prefix \000 string when returning the VLAN Attribute.  In the 5500 Comware 5 switch this is ignored but was not ignored in the 5130 comware 7 switch.

Engineering provided a cold patch so the prefix string would be ignored.  The patch worked and the issue is resolved.

I have attached patch is released


Attachments:
5510HI-CMW710-R1309P03H02.zip
0 comments
0 views