Hi Lawrence,
Trunk ports and port-security (macauth and dot1x) are mutually exclusive. It is not possible to have trunk ports with MAC authentication and assign a tagged VLAN. Having said that, I think there is a good alternative for assigning tagged VLAN's to an authenticated port and that is by using the "mac-authentication auto-tag" functionality.
https://techhub.hpe.com/eginfolib/networking/docs/switches/5130ei/5200-3946_security_cg/content/485048140.htmIn order to get this working, you need to configure following on the interface:
port link-mode bridge
port link-type hybrid
undo port hybrid vlan 1
port hybrid vlan 10 tagged < -- This is the tagged VLAN that is assigned from ClearPass using the standard IETF attributes
mac-vlan enable
mac-authentication auto-tag ignore-config
mac-authentication
mac-authentication host-mode multi-vlan
From an edge device perspective, it depends on what type of packet is sent first (is it untagged or tagged).
If it's an untagged packet, the switch will receive that on the default (pvid) or untagged VLAN. This is called the initial VLAN. If that is the case, there will be no tagged VLAN assignment because the initial packet was sent as an untagged packet.
If the edge device sends a tagged packet (in this example with VLAN tag 10), the switch will accept this packet (because it's a tagged member of VLAN 10), and after successful authentication it will place the VLAN 10 as tagged onto that port. See the output of "show mac-authentication connection" below:
Total connections: 1
Slot ID: 1
User MAC address: 8e8e-5395-0202
Access interface: Ten-GigabitEthernet1/0/2
Username: 8e8e53950202
User access state: Successful
Authentication domain: clearpass
Initial VLAN: 10Authorization untagged VLAN: N/A
Authorization tagged VLAN: 10Authorization VSI: N/A
Authorization ACL ID: N/A
Authorization user profile: N/A
Authorization CAR: N/A
Authorization URL: N/A
Termination action: Default
Session timeout period: N/A
Online from: 2021/08/25 15:13:24
Online duration: 0h 0m 5s
Hope this is helpful
------------------------------
Dik van Oeveren
------------------------------
Original Message:
Sent: Aug 25, 2021 12:51 AM
From: Lawrence Manlapaz
Subject: Need to make dynamic trunk ports work on Comware 7 using ClearPass
Hello!
So, we have existing ClearPass enforcement profiles for comware 7 switches to make dynamic ports work but it it is very generic (only IETF attributes) and only works when it is an access port i.e. most users and current controller-based APs
However, we are converting their APs from controller based to instant, which means we will convert their switchports to trunk. our initial switchport config is we put in the tagged VLANs along with RADIUS related config (so if users use that dynamic port, they still can). However, it does not work. What we can see is it is still seeing it as access port. NOTE: removing the config that makes the port dynamic makes the AP work as well
During my travels in the interwebs searching for an answer, I have found:
- Comware 7 switches use "H3C" Attribute Type in ClearPass
- H3C can read attribute "AVPair" similar to Cisco
- In one of the CP guides, what they did is using the AVPair attribute, they sent back value: device-traffic-class=voice, and this apparently will let the switch know that this is a "voice device" and will assign whatever voice VLAN you statically configured in the port as tagged VLAN
- I have had a few reads online, and another value instead of device-traffic-class=voice is device-traffic-class=switch, and if the interwebs is to be believed, this will let the switch know that the supplicant is a "switch", converts the port into a trunk port, and uses your tagged VLANs statically configured on the port
Now I just wanted to ask if any of you had tried this during your networking travels?
If any of you also have alternatives I can use for this dilemma, feel free to post.