Network Management

We've got 802.1x authentication enabled on ports for client access. We have a combination of HP Procurve and Aruba mostly the 2510's, 2530's,2810's, 2610-24-PWR and 3800's.

We are planning to move to VoIP with the use of IP or SIP phones. Can I enable 802.1x authentication via the VLAN instead of the port since we are going to tagged both the voice and the client VLAN to a port for the ip phone and have the machine hooked via the ip phone? 

Hi, the short answer is no. 

Dot1x is enabled on the port. The result of the authentication is often the assignment of which VLAN that MAC address or port should be assigned. So it can't be configured to be operational on one vlan tagged to a port but not to the other vlan.

What you can do is to tag the voice vlan, untag a portal/unauth vlan on each port. Then configure MAC/dot1x authentication on the port. This works for IP phones that tag their own traffic but pass the traffic for devices attached to them as untagged (if you plan to use the port on the phone to attach PCs etc).

I think for switches as old as 2610 you may hit limits on what can be achieved compared to later models like 2620 although I can't recall straight away. It might be LLDP-MED or something that didn't work with IP phones. But the above concept is in use across our procurve estate. The negative is that the voice VLAN is tagged even if not needed.

We've got 802.1x authentication enabled on ports for client access. We have a combination of HP Procurve and Aruba mostly the 2510's, 2530's,2810's, 2610-24-PWR and 3800's.

We are planning to move to VoIP with the use of IP or SIP phones. Can I enable 802.1x authentication via the VLAN instead of the port since we are going to tagged both the voice and the client VLAN to a port for the ip phone and have the machine hooked via the ip phone? 

Hi, the short answer is no. 

Dot1x is enabled on the port. The result of the authentication is often the assignment of which VLAN that MAC address or port should be assigned. So it can't be configured to be operational on one vlan tagged to a port but not to the other vlan.

What you can do is to tag the voice vlan, untag a portal/unauth vlan on each port. Then configure MAC/dot1x authentication on the port. This works for IP phones that tag their own traffic but pass the traffic for devices attached to them as untagged (if you plan to use the port on the phone to attach PCs etc).

I think for switches as old as 2610 you may hit limits on what can be achieved compared to later models like 2620 although I can't recall straight away. It might be LLDP-MED or something that didn't work with IP phones. But the above concept is in use across our procurve estate. The negative is that the voice VLAN is tagged even if not needed.

We've got 802.1x authentication enabled on ports for client access. We have a combination of HP Procurve and Aruba mostly the 2510's, 2530's,2810's, 2610-24-PWR and 3800's.

We are planning to move to VoIP with the use of IP or SIP phones. Can I enable 802.1x authentication via the VLAN instead of the port since we are going to tagged both the voice and the client VLAN to a port for the ip phone and have the machine hooked via the ip phone? 

Yeah, seems like the 2160-24-PWR can't do this as I tried this with tagging the voice VLAN and untagged the client VLAN and never work. Anyway, does the HP/Aruba switch can have two untagged VLAN's on a port? 

Works well with my Meraki where I have a port profile with both vlans as access and 802.1x policy applied with unauth VLAN as the Voice VLAN 

Hi, the short answer is no. 

Dot1x is enabled on the port. The result of the authentication is often the assignment of which VLAN that MAC address or port should be assigned. So it can't be configured to be operational on one vlan tagged to a port but not to the other vlan.

What you can do is to tag the voice vlan, untag a portal/unauth vlan on each port. Then configure MAC/dot1x authentication on the port. This works for IP phones that tag their own traffic but pass the traffic for devices attached to them as untagged (if you plan to use the port on the phone to attach PCs etc).

I think for switches as old as 2610 you may hit limits on what can be achieved compared to later models like 2620 although I can't recall straight away. It might be LLDP-MED or something that didn't work with IP phones. But the above concept is in use across our procurve estate. The negative is that the voice VLAN is tagged even if not needed.

We've got 802.1x authentication enabled on ports for client access. We have a combination of HP Procurve and Aruba mostly the 2510's, 2530's,2810's, 2610-24-PWR and 3800's.

We are planning to move to VoIP with the use of IP or SIP phones. Can I enable 802.1x authentication via the VLAN instead of the port since we are going to tagged both the voice and the client VLAN to a port for the ip phone and have the machine hooked via the ip phone?