Security

last person joined: 7 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Egress-VLANID

This thread has been viewed 57 times

  • 1.  Egress-VLANID

    Posted May 16, 2013 04:33 PM

    Hello all,

     

    I'm working with CP to dynamically assign VLAN to switch ports, and I've run into a bit of a snag.  Assigning tagged VLANs to procurve switches requires the use of RFC 4675, but I seem to have a mismatch...

     

     

    1.  First, it seems as though HP radius values that were present in v6.0 are not present in v6.1.


    2.  For IETF Egress-VLANID (56), HP documentation says "The value of Egress-VLANID is a bit string, the first 8 bits specify whether the VLAN is tagged or untagged and must be either 0x31 (tagged) or 0x32 (untagged). The next 12 bits are padding 0x000, and the final 12 bits are the VLAN ID as an integer value. For example the value to set VLAN 17 as a tagged egress VLAN would be 0x31000011"...

     

    However, Clearpass seems to only want unsigned integer values for that attribute..I'll attempt to use Egress-VLAN-Name, and see if I get a better result.



  • 2.  RE: Egress-VLANID

    Posted Mar 04, 2014 03:27 PM

    versatech, do you have an update to this? I seem to be running into the same thing. 



  • 3.  RE: Egress-VLANID

    Posted Mar 05, 2014 08:12 AM

    This may help but I have not gotten it to work yet. You can use RFC 3580 for the untagged and RFC 4675 for tagged vlans.

     

    http://wiki.freeradius.org/vendor/HP#RFC-4675-(multiple-tagged/untagged-VLAN)-Assignment

     

     



  • 4.  RE: Egress-VLANID

    EMPLOYEE
    Posted Jul 11, 2016 10:03 AM

    What works is when you convert the hex value back into decimal...

    So, for vlan 123, convert to hex is 0x07b (this tool will work: http://www.rapidtables.com/convert/number/decimal-to-hex.htm)

    Prepend 0x31000 for tagged, and get 0x3100007b.

     

    Now convert back 0x3100007b back to decimal (use http://www.rapidtables.com/convert/number/hex-to-decimal.htm) which will result in 822083707.

     

    Use 822083707 ias value n your Hewlett-Packard-Enterprise:HPE-Egress-VLAN-ID attribute to return VLAN 123 tagged.

     



  • 5.  RE: Egress-VLANID

    Posted Dec 20, 2023 07:32 AM

    As the conversion for the values is very tedious, I have created a small website with javascript to generate a valid Enforcement Profile XML:

    You can enter the VLAN ID, choose if tagged/untagged and optionally add the device-mode port-mode as this is often used with APs.

    https://philipp-koch.net/cppm/rfc4675.html



    ------------------------------
    Philipp Koch | Senior Technical Consultant @ Bohnen IT | ACDX | ACEP | Germany
    ------------------------------

    Original Message


  • 6.  RE: Egress-VLANID

    EMPLOYEE
    Posted Dec 21, 2023 05:21 AM

    Thanks, that looks nice.

    BTW, I would recommend to use Named VLANs for this purpose as @Sietze Reitsma suggests in this post. It will make your policy much more readable than having these decimal VLAN values.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message