Wired Intelligent Edge

last person joined: yesterday 

Bring performance and reliability to your network with the HPE Aruba Networking Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of your switching devices, and find ways to improve security across your network to bring together a mobile-first solution
Back to discussions
Expand all | Collapse all

unauth vlan tagged on 2930F?

This thread has been viewed 6 times

  • 1.  unauth vlan tagged on 2930F?

    Posted Sep 24, 2020 06:44 AM

    Hi everybody,

    Is there a way to configure a guest-vlan tagged to a MAC address? If I configure "aaa port-access local-mac unauth-vid 500", the mac-address is untagged in vlan 500, but I cannot find a way to configure the unauth-vid as tagged vlan.

     

    Any ideas?

     

    Thanks in advance 



  • 2.  RE: unauth vlan tagged on 2930F?

    Posted Sep 24, 2020 07:35 AM

    Why do you need tagged VLANS? Can you explain your use case?



  • 3.  RE: unauth vlan tagged on 2930F?

    Posted Sep 24, 2020 10:40 AM

    It is an offline setup, so we use local-mac authentication. On the normal client ports, everything works as expected. The accesspoints need the client-vlans tagged. We do not want to let the AP ports unauthenticated, because someone could unplug the AP and connect e.g. a notebook to it.

    By default, all ports are configured to a default vlan and every client gets its vlan config during the authentication process (by aaa local mac profiles configured on the switch). This works with known wifi and LAN clients, also with unknown LAN clients ( -> guest vlan), but not with unknown wifi clients.



  • 4.  RE: unauth vlan tagged on 2930F?

    MVP GURU
    Posted Sep 24, 2020 02:12 PM

    do you have look for critical / open vlans ?



  • 5.  RE: unauth vlan tagged on 2930F?

    EMPLOYEE
    Posted Oct 05, 2020 12:31 AM

    To my understanding, all wireless clients should be authenticated by the IAP and put into the correct VLAN by the IAP. There is no need to authenticate the client on the switch again. 

    In your case, the IAP should put clients into VLAN 500, not the switch. 

    At least if I understand your description/use case correctly. 



  • 6.  RE: unauth vlan tagged on 2930F?

    Posted Oct 05, 2020 05:59 AM

    Thanks for your replies!

    Yes exactly, the client will be authenticated twice - once by Access Point and by Switchport. This is because someone could unplug the AP from the the switch and has access to the network, if the AP port does not have any authentication. I found a way to let the AP pass unknown MAC addresses to its untagged VLAN, that the switchport can configure it the the guest VLAN.

    Now everything works as expected.



  • 7.  RE: unauth vlan tagged on 2930F?
    Best Answer

    EMPLOYEE
    Posted Oct 05, 2020 08:49 AM

    well, I think this would be the wrong order. First, you should authenticate the port with the IAP as well, but here you can assign the untagged management VLAN and the tagged user VLAN's. Therefore, the guest VLAN is only available tagged, if the IAP is connected. 

    If you remove the IAP from the port, the port goes into the default state. 

    There is no need to double authenticate clients. 

     

    have a look at this post, I did a write up on AP authentication:

    https://www.flomain.de/2020/03/aruba-ap-authentication/