Hi,
I'm trying to set dot1x on 4500G ports, with vlan 1 for the authenticated machines and guest-vlan 5 for "foreigner" machines.
On a normal port, it works fine... I connect a domain machine, the radius server authenticates and the machine is connected at vlan1. Switch the cable to a foreigner machine and it doesn't authenticate, and it gets a vlan5 (guest) access.
However, I have many [switch port -- ip phone -- computer] setup, where the port is hybrid with vlan 2 for voice vlan.
If I use the same parameters of a "normal" port, it starts to work but after a while the port is set with pvid=5.
Questions:
- Is it possible to set dot1x as described above on a hybrid voice port ? How ?
- Can I use the Tunnel-Pvt-Group-Id of NPS to set the port vlan when the port is hybrid ?
Switch Configuration:
#
version 3Com OS V5.02.00s168p20,
#
dot1x
dot1x timer tx-period 10
dot1x timer supp-timeout 10
dot1x retry 1
dot1x timer handshake-period 5
dot1x authentication-method eap
#
radius scheme system
server-type extended
primary authentication 127.0.0.1 1645
primary accounting 127.0.0.1 1646
user-name-format without-domain
radius scheme my_domain
server-type extended
primary authentication A.B.C.D
primary accounting A.B.C.D
secondary authentication 127.0.0.1 1645
secondary accounting 127.0.0.1 1646
key authentication XXXXXX
key accounting XXXXX
#
domain my_domain
authentication default radius-scheme my_domain
authorization default radius-scheme my_domain
accounting default radius-scheme my_domain
access-limit disable
state active
idle-cut disable
self-service-url disable
domain system
access-limit disable
state active
idle-cut disable
self-service-url disable
#
interface GigabitEthernet1/0/14
port link-type hybrid
port hybrid vlan 2 tagged
port hybrid vlan 1 untagged
broadcast-suppression pps 3000
undo jumboframe enable
poe enable
stp edged-port enable
dot1x re-authenticate
dot1x guest-vlan 5
dot1x mandatory-domain my_domain
dot1x port-method portbased
dot1x
Thanks in advance
#dot1x#Voice#VLAN#4500G