Security

Hi,
I'm currently meeting an issue regarding Comware v7 critical vlan.
When I try to disconnect clearpass to test critical vlan, critical vlan on comware are not working but configured as well.
vlan 30 is a vlan that assign DHCP response currently.
But when I disconnect clearpass, computer Don't receive an IP address, and so the critical vlan 30 is not used.
​Here is my configuration :

interface GigabitEthernetX/0/X

stp edged-port

mac-authentication max-user 10

mac-authentication critical vlan 30

mac-authentication host-mode multi-vlan

port-security port-mode userlogin-secure-or-mac-ext

dot1x critical vlan 30

I tried both domain radius in 2 configurations (with local fallback, and without):

Domain radius

authentication lan-access radius-scheme clearpass local

authorization lan-access radius-scheme clearpass local

accounting lan-access radius-scheme clearpass local

Domain radius

authentication lan-access radius-scheme clearpass

authorization lan-access radius-scheme clearpass

accounting lan-access radius-scheme clearpass

Thanks

------------------------------
Lawrence BENEDICT
------------------------------

Are you matching the scenario you want correctly?



------------------------------
Dustin Burns
Lead Mobility Engineer @WEI

ACCX 1271| ACMX 509| ACSP | ACDA | MVP Guru 2021
If my post was useful accept solution and/or give kudos
------------------------------

Original Message:
Sent: Nov 09, 2021 06:04 AM
From: Lawrence BENEDICT
Subject: Comware critical VLAN (and clearpass)

Hi,
I'm currently meeting an issue regarding Comware v7 critical vlan.
When I try to disconnect clearpass to test critical vlan, critical vlan on comware are not working but configured as well.
vlan 30 is a vlan that assign DHCP response currently.
But when I disconnect clearpass, computer Don't receive an IP address, and so the critical vlan 30 is not used.
​Here is my configuration :

interface GigabitEthernetX/0/X

stp edged-port

mac-authentication max-user 10

mac-authentication critical vlan 30

mac-authentication host-mode multi-vlan

port-security port-mode userlogin-secure-or-mac-ext

dot1x critical vlan 30

I tried both domain radius in 2 configurations (with local fallback, and without):

Domain radius

authentication lan-access radius-scheme clearpass local

authorization lan-access radius-scheme clearpass local

accounting lan-access radius-scheme clearpass local

Domain radius

authentication lan-access radius-scheme clearpass

authorization lan-access radius-scheme clearpass

accounting lan-access radius-scheme clearpass

Thanks

------------------------------
Lawrence BENEDICT
------------------------------