Computer and IT knowledge - things to know
If you want to authenticate a device on a switch port using mac authentication or 802.1x authentication using a radius server, you may have the requirement to put the device into more than one vlans - in one untagged vlan and multiple tagged vlans.
the radius server has to return some special attributes back to the switch
>> here comes a sample Enforcement Profile from the HPE Aruba ClearPass Policy manager
>> Type: Radius
>> Action: Accept
Radius:IETF Session-Timeout = 10800
Radius:IETF Termination-Action = RADIUS-Request (1)
Radius:IETF Tunnel-Type = VLAN (13)
Radius:IETF Tunnel-Medium-Type = IEEE-802 (6)
Radius:IETF Tunnel-Private-Group-Id = 10
Radius:Hewlett-Packard-Enterprise HPE-Port-MA-Port-Mode = 1
Radius:Hewlett-Packard-Enterprise HPE-Egress-VLAN-ID = 822083684
Radius:Hewlett-Packard-Enterprise HPE-Egress-VLAN-ID = 822083685
Radius:Hewlett-Packard-Enterprise HPE-Egress-VLAN-ID = 822083686
>> The Attribute Tunnel-Private-Group-Id sets the switch port to vlan 10 untagged
>> the HPE-Egress-VLAN-ID values are looking a bit strange, to get this values you have to calculate them: 0x31<000><VLAN-ID in Hex>, this hex value needs then converted to a decimal value, which we need for the attribute:
-------- value: 822083684 means vlan 100 tagged
-------- value: 822083685 means vlan 101 tagged
-------- value: 822083686 means vlan 102 tagged
>>>>>> use this calculater to get the value for a specific vlan: https://computer2know.de/index.php?site=radius-vlan-hex-value
>> the attribute HPE-Port-MA-Port-Mode makes sense for HPE ArubaOS switches, in case you want to set port mode
computer2know :: thank you for your visit :: have a nice day :: © 2024