HP Procurve - Wired 802.1x setup

Got a somewhat complex setup requested for 802.1x on some HP procurves, and I am not sure if there is an ability top satisfy all the criteria.    The is for my access switches.

Each switchport will be hosting multiple devices.  Mainly a phone (that can do 802.1x) and PC behind that. Many of the PC's will have multiple virtual machines hosted on them, that will require a level of network access.  We have 3 VLANs to use:

VLAN 100 - Data.  Require port authentication.  PC's will be utilizing supplicant to authenticate for VLAN access
VLAN 200 - Voice.  It has been requested that while the phones can do 802.1x, they do not want to set this up on each phone, as the password will be a manual process
VLAN 300 - Guest.  Is the node does not authenticate, it will be placed in a guest network.


My biggest issue seems to be around the phone/vocie VLAN. If it could be done by MAC, all phones will have same leading 6 in their MAC address.
LVL 1
JamesonJendreasAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jakob DigranesSenior ConsultantCommented:
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
atrevidoCommented:
I actually have this set up.  What radius are you using?  We are currently using Steel belted radius and I am converting to Windows NPS.  I push phones to vlan 10 based on MAC address OR for my newer Mitel phones I actually use a password as it got easier than doing MAC addresses for every phone.  We use Mitel VoIP and the 53xx series are able to do 802.1x passwords.  

radius-server host 10.0.5.200  
# i used to have two servers here, one primary, one backup
radius-server key "whatever password you want here"
radius-server dead-time 20

# for the below - this is for certificate and password authorizations.  the command
auth-vid 1 means that if you are authenticated using EAP you get vlan 1, if not you
roll to mac based auth, see below

aaa authentication port-access eap-radius
aaa port-access authenticator
 A2-A4,A6-A16,A18,A20-A23,B1-B24,C1-C24,D1-D11,D13-D24,E1-E9,E11,E13-E24,F1-F24
aaa port-access authenticator A1 auth-vid 1
aaa port-access authenticator A1 logoff-period 432000
aaa port-access authenticator A1 client-limit 32
aaa port-access authenticator A2 auth-vid 1
aaa port-access authenticator A2 logoff-period 432000
aaa port-access authenticator A2 client-limit 32
aaa port-access authenticator A3 auth-vid 1
aaa port-access authenticator A3 logoff-period 432000
aaa port-access authenticator A3 client-limit 32
aaa port-access authenticator A4 auth-vid 1
aaa port-access authenticator A4 logoff-period 432000
aaa port-access authenticator A4 client-limit 32
aaa port-access authenticator A5 auth-vid 1
aaa port-access authenticator A5 logoff-period 432000
aaa port-access authenticator A5 client-limit 32
~~~~~ ~~~~~ removed for brevity ~~~ ~~~ ~~~
aaa port-access authenticator F22 auth-vid 1
aaa port-access authenticator F22 logoff-period 432000
aaa port-access authenticator F22 client-limit 32
aaa port-access authenticator F23 auth-vid 1
aaa port-access authenticator F23 logoff-period 432000
aaa port-access authenticator F23 client-limit 32
aaa port-access authenticator F24 auth-vid 1
aaa port-access authenticator F24 logoff-period 432000
aaa port-access authenticator F24 client-limit 32

aaa port-access authenticator active   <-- magic command to turn on and off 802.1x

# below is mac-based - if you DO NOT get authorized via MAC then you get pushed
to VLAN 254 which is our Guest vlan

aaa port-access mac-based
 A2-A4,A6-A16,A18,A20-A23,B1-B24,C1-C24,D1-D11,D13-D24,E1-E9,E11,E13-E24,F1-F24
aaa port-access mac-based A1 addr-limit 32
aaa port-access mac-based A1 logoff-period 432000
aaa port-access mac-based A1 auth-vid 1
aaa port-access mac-based A1 unauth-vid 254
aaa port-access mac-based A2 addr-limit 32
aaa port-access mac-based A2 logoff-period 432000
aaa port-access mac-based A2 auth-vid 1
aaa port-access mac-based A2 unauth-vid 254
aaa port-access mac-based A3 addr-limit 32
aaa port-access mac-based A3 logoff-period 432000
aaa port-access mac-based A3 auth-vid 1
aaa port-access mac-based A3 unauth-vid 254
aaa port-access mac-based A4 addr-limit 32
aaa port-access mac-based A4 logoff-period 432000
aaa port-access mac-based A4 auth-vid 1
aaa port-access mac-based A4 unauth-vid 254
~~~~~ ~~~~~ removed for brevity ~~~ ~~~ ~~~
aaa port-access mac-based G20 addr-limit 32
aaa port-access mac-based G20 logoff-period 432000
aaa port-access mac-based G21 addr-limit 32
aaa port-access mac-based G21 logoff-period 432000
aaa port-access mac-based G22 addr-limit 32
aaa port-access mac-based G22 logoff-period 432000
aaa port-access mac-based G23 addr-limit 32
aaa port-access mac-based G23 logoff-period 432000
aaa port-access mac-based G24 addr-limit 32
aaa port-access mac-based G24 logoff-period 432000
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Network Security

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.