Wired Intelligent Edge

 View Only
last person joined: 16 hours ago 

Bring performance and reliability to your network with the HPE Aruba Networking Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of your switching devices, and find ways to improve security across your network to bring together a mobile-first solution
Back to discussions
Expand all | Collapse all

If 802.1x Authenticated use specific vlan . If not authenticated use static vlan configuration

This thread has been viewed 0 times

  • 1.  If 802.1x Authenticated use specific vlan . If not authenticated use static vlan configuration

    Posted Dec 30, 2016 05:00 AM

    Hello.
    Is it possible to configure a switch with 802.1x authenticaton to do the following:
    If computer is authenticated it shall be assigned a specific existing vlan on the switch, if not it shall use the static vlan configuration on that port.

     


    #802.1x


  • 2.  RE: If 802.1x Authenticated use specific vlan . If not authenticated use static vlan configuration

    Posted Dec 30, 2016 06:32 AM

    Something like this if you're using Radius for authentication.

    #Set selected authentication mode
    aaa authentication port-access eap-radius server-group "Radius"

    #Configure specified ports for authentication
    aaa port-access authenticator 1-24

    #Assign unauthenticated client VLAN to authenticator ports
    aaa port-access authenticator 1-24 unauth-vid 2

    #Assign authenticated client VLAN to authenticator ports
    aaa port-access authenticator 1-24 auth-vid 3

    #Activate authentication on assigned ports with configured options
    aaa port-access authenticator active

     



  • 3.  RE: If 802.1x Authenticated use specific vlan . If not authenticated use static vlan configuration

    Posted Dec 30, 2016 07:18 AM

    Thanks for replying.
    I forgot to say that i use a radius server.

    Will not your example place unauthenticated clients in vlan 2?
    I want unauthenticated clients to use the static vlan already set on that port.

    I only want authenticated clients to be assigned vlan X.



  • 4.  RE: If 802.1x Authenticated use specific vlan . If not authenticated use static vlan configuration

    Posted Dec 30, 2016 07:55 AM

    If that is what you want then just remove the "aaa port-access authenticator 1-24 unauth-vid 2" command, and use normal untag commands for the ports.

     



  • 5.  RE: If 802.1x Authenticated use specific vlan . If not authenticated use static vlan configuration

    Posted Jan 03, 2017 09:09 AM

    Changing vlan automatic for the trusted computer works, however an untrusted gets Blocked by AAA.
    As i mention before I want the untrusted computer to failback to the static untagged configuration on the switch.