This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Assigning two vlans to X440-port via 802.1X and Windows NPS

Assigning two vlans to X440-port via 802.1X and Windows NPS

mani
New Contributor

‎05-10-2019 07:48 AM

Hi,

I am currently configuring configuring 802.1X on all of our Switches. We have Cisco IP-phones and Desktop PCs that are connected via the phone to to the switch. The ports should be set to the voice vlan tagged and the production vlan untagged.
The problem i have is, that only the last entry on the NPS gets set on the port, and not both.

96585d660ea241b5af18dd077bed95c2_8d7ab365-cbf1-4ef3-8ad2-255feeffffb8.png


So in this case, Production gets assigned on the Port, but i actually want both options set. Does anyone have experiences with this and is there a way to solve this?

Thanks in advance!
0 Kudos
5 REPLIES 5

Ronald_Dvorak
Honored Contributor

‎05-10-2019 02:55 PM



From my experience most configure it to put the phone in a untagged VLAN and the PC as tagged but I don't see a problem to tag both.

You'd use whatever 802.1X auth the phone support, state of the art phones should support a lot of different methods e.g. PEAP, EAP-TLS.
In case nothing is supported you'd end up with just MAC auth..

-Ron
0 Kudos

mani
New Contributor

‎05-10-2019 08:49 AM



code:
create vlan nt_login
configure netlogin vlan nt_login
enable netlogin dot1x
enable netlogin ports 10 dot1x
configure radius netlogin primary server "server" client-ip "client" vr "VR-Default"
configure radius netlogin primary shared-secret ****
enable radius netlogin



I think currently only port-based-vlans is configured, i just used port10 as my testing port.
My first idea was to just authenticate the PC and then set the port to vlan VOIP and Production so PC and Phone is allowed. But by reading trough this, i think i need to authenticate the PC and the Phone and use both tagged? Or am i wrong.

edit:
I think i understand what mac-based-vlan does, but how does the authentication side on NPS work, because i want to authenticate the PC via Username or Certificate. And how do i do the phones?
0 Kudos

Tomasz
Valued Contributor II

‎05-10-2019 08:47 AM

@mani yes, after I wrote it I thought that I missed the point in your question. 😉
I think you should try Ron's suggestions as well.
Yet still working, VSA-based VLAN assignment is not used today I believe, depends on what version of EXOS do you use.

Kind regards,
Tomasz
0 Kudos

mani
New Contributor

‎05-10-2019 08:41 AM

@Tomasz
(oh you removed your reply)


ID 26 is not a VSA, i think 26 is just something NPS specific:

7d61fd045bc848db8c6d991bc82d9c14_11406347-83b8-4079-bbf5-60ce9c048a88.png



I followed this guide and prepending T or U in front of the VLAN differentiates between tagged, untagged:
https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-configure-802-1x-based-Netlogin-with-Radius-on-EXOS

I will try out RFC3580-based Tunnels now and see if that works.
0 Kudos
GTM-P2G8KFN