Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Assign more than one Tagged VLAN on a Switch Port

This thread has been viewed 10 times

  • 1.  Assign more than one Tagged VLAN on a Switch Port

    Posted Nov 21, 2016 12:50 PM

    Hi all,

     

    I was just running in a problem, but so far I'm not sure if it is a bug in ClearPass, a configuration error or a limitation.

     

    What I try to achieve:

    I have an HPE AP which is configured for local bridging. So so static portconfig looks like: VL7 (untagged / management), VL 10-12 (tagged /SSID traffic)

     

    Now I want to assign all VLANs dynamically. So on Clearpass I created one Enforcement Profile per VLAN and bound them on my Enforcement Policy. After successfully authenticating my AP the switchport only gets two VLAN IDs assigned: VL7 untagged and VL10 tagged. The other two VLANs are missing.

    In the AccessTracker output I can see that only the two VLANs are forwarded to the switch.

     

    As I read the RFC on the FreeRadius page (http://wiki.freeradius.org/vendor/HP#procurve-port-authentication-special-features_dynamic-vlan-assignment_rfc-4675-multiple-tagged-untagged-vlan-assignment) the egress-VLANID attribut can assigned more than one time.

    "Times used = 1-*"

     

    Can anyone help me on this beahvior?

     

    thanks i advance folks!



  • 2.  RE: Assign more than one Tagged VLAN on a Switch Port
    Best Answer

    EMPLOYEE
    Posted Nov 22, 2016 10:45 AM

    Not sure how you configured it, however when I try, I see the native VLAN and the tagged vlans assigned:

     

     

    hp2530# show port-access clients 3 detailed

 Port Access Client Status Detail
  Client Base Details :
   Port            : 3                     Authentication Type : mac-based
   Client Status   : authenticated         Session Time        : 90 seconds
   Client Name     : 94b40fcd0832          Session Timeout     : 10800 seconds
   MAC Address     : 94b40f-cd0832
   IP              : n/a

  Access Policy Details :
   COS Map         : Not Defined           In Limit Kbps       : Not Set
   Untagged VLAN   : 2
   Tagged VLANs    : 32, 34
   Port Mode       : 1000FDx
   RADIUS ACL List : No Radius ACL List

hp2530# show version
Image stamp:    /ws/swbuildm/rel_spokane_qt_qaoff/code/build/lakes(swbuildm_rel_spokane_qt_qaoff_rel_spokane_qt)
                Aug 11 2016 15:32:10
                YA.16.02.0010

    And this is how my response shows in Access Tracker:2016-11-22 16_40_03-ClearPass Policy Manager - Aruba Networks.png

     

    What I did do, and might be a difference is that I have a single enforcement profile for the tagged ports, HP-Tagged-VLANs with the two VLANs in my lab inside. So two profiles in total.

     

    Related posts:

    http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Egress-VLANID/m-p/76850

    http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Assign-Tagged-VLAN-via-Radius-attribute-using-quot-HP-Egress/m-p/260167

     



  • 3.  RE: Assign more than one Tagged VLAN on a Switch Port

    Posted Nov 23, 2016 03:09 AM

    hi Herman,

     

    thansk for the hint! I have successfully tested it and it works.