Security

Dear Experts, 

Can i assign dynamic Vlan from Clearpass to HPE comware switch 5130 without defining that Vlan explicitly on the port.

Below is my configuration on switch and clearpass and everytime its getting Vlan 1 as seen in the debug on switch

I want to assign Vlan 10 on successful authentication

interface GigabitEthernet1/0/2
 port link-type hybrid
 port hybrid vlan 1 untagged
 mac-vlan enable
 stp edged-port
 undo dot1x handshake
 dot1x mandatory-domain clearpass
 undo dot1x multicast-trigger
 dot1x re-authenticate
 dot1x unicast-trigger
 dot1x critical vlan 1
 dot1x re-authenticate server-unreachable keep-online
 port-security port-mode userlogin-secure-or-mac-ext

For Comware profile, i tried simply, 10, 10t and 10u but nothing happens. ( i read in a post that u is for untagged and t is for tagged, but in all 3 cases port is getting Vlan 1)

Any idea what i am doing wrong?

There is a reference for Comware 7 in the Wired Solution Guide for ClearPass, but I could not find a screenshot of the VLAN assignment, which make me think that it's the default VLAN assignment profile that has two more attributes:

In the document, there is a recommendation to use VLAN names, you may try that. I don't think sending tagged VLANs is supported under Comware, as I've seen the question how people can authenticate an access point with some tagged client VLANs, and have not seen a confirmation on that. For IP Phones there is a voice traffic-class, documented in that guide.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Jul 24, 2024 06:30 AM
From: Ronin101
Subject: Comware Switch and Dynamic Vlan from ClearPass

Dear Experts, 

Can i assign dynamic Vlan from Clearpass to HPE comware switch 5130 without defining that Vlan explicitly on the port.

Below is my configuration on switch and clearpass and everytime its getting Vlan 1 as seen in the debug on switch

I want to assign Vlan 10 on successful authentication

interface GigabitEthernet1/0/2
 port link-type hybrid
 port hybrid vlan 1 untagged
 mac-vlan enable
 stp edged-port
 undo dot1x handshake
 dot1x mandatory-domain clearpass
 undo dot1x multicast-trigger
 dot1x re-authenticate
 dot1x unicast-trigger
 dot1x critical vlan 1
 dot1x re-authenticate server-unreachable keep-online
 port-security port-mode userlogin-secure-or-mac-ext

For Comware profile, i tried simply, 10, 10t and 10u but nothing happens. ( i read in a post that u is for untagged and t is for tagged, but in all 3 cases port is getting Vlan 1)

Any idea what i am doing wrong?