Hp Procurve 802.1 X Configuration Example

1. Hp Procurve 802.1 X Configuration Example Software
2. Hp Procurve 802.1 X Configuration Example Sheet
3. Hp Procurve Switch Configuration Guide
4. Hp Switch 802.1x

For example ip phone configuration. The other downside to 802.1X auth, it did not (originally) have support to pass back info to a switch to put a port 'tagged' into a vlan. RFC-4675 added that functionality, but Microsoft doesn't support it at all, I have been asking then for 2 yrs for it. ProVision ASIC switches from HP-ProCurve have. ProCurve switches (=2600) can run 802.1X authentication concurrently with either Web-Based or Mac-Based authentication on the same port. Though Web-Based and Mac-Based authentication cannot be used together. When multiple port-access mechanisms are used, 802.1X based authentication always takes priority. 802.1x is an open standards protocol, used for network clients on a user id basis. This post describes how to configure 802.1x on an HP ProCurve switch and authenticate against a Windows 2008 R2 NPS (RADIUS) server. Open VLAN mode will be used, this involves creating an 'Authorized' and 'Un-Authorized' VLAN. This post is a sample configuration of an 802.1x WPA2/AES WLAN service on the HP Unified Wireless platform. This configuration assumes: Central authentication: AP forwards all 802.1x over the LWAPP tunnel to the Access Controller (AC). The AC is the radius client Central forwarding: AP forwards all user data over the LWAPP tunnel to the.

Quick Scroll to:

About VLANs

VLANs are a method for segmenting a network into related groups, improving the efficiency of traffic flow and limiting the propagation of multicast and broadcast messages. Traffic between VLANs is blocked unless the VLANs are connected by a router, increasing security.

A VLAN is a group of ports designated by the switch as belonging to the same broadcast domain. That is, all ports carrying traffic for a particular subnet address would belong to the same VLAN. Using a VLAN, you can group users by logical function instead of physical location. This helps to control bandwidth usage by allowing you to group high-bandwidth users on low-traffic segments and to organize users from different LAN segments according to their need for common resources. You can use the switch's console interface to configure up to 30 port-based, IEEE 802.1Q-compliant VLANs. This enables you to use the same port for two or more VLANs and still allows interoperation with older switches that require a separate port for each VLAN.

Hp Procurve 802.1 X Configuration Example Software

About GVRP

The GARP VLAN Registration Protocol (GVRP) is an 802.1Q-compliant method for facilitating automatic VLAN membership configuration. GVRP-enabled switches can exchange VLAN configuration information with other GVRP-enabled switches. Unnecessary broadcast traffic and unicast traffic also can be reduced.

Policy rules or other network management methods can determine who is admitted to a VLAN. When a node requests admission to a specific VLAN, GVRP handles the registration of the node with GVRP-enabled switches and maintains that information.

The GVRP protocol is described in the IEEE 802.1p standard.

For a more detailed description of how to use and configure VLANs, refer to the Management and Configuration Guide for your switch.

Devices supported:

• HP ProCurve Switches 1600M, 2400M, 2424M, 4000M, and 8000M
• HP ProCurve Series 2400 switches (2512 and 2524)
• HP ProCurve Series 4100GL switches (4104GL and 4108GL)
• HP ProCurve Series 5300XL switches (5304XL and 5308XL)

Note: If a switch is a Commander, the Stack options will appear at the top of the page.

Note: When multiple VLANs exist on a switch, only one VLAN can be untagged for each port. (In the default configuration, this is VLAN 1, the DEFAULT_VLAN.) When you add a second VLAN to a switch, the default setting on that VLAN is No for all ports. Using the Web browser interface, if you then reconfigure a port to Untagged for a new VLAN while there is an Untagged setting on another VLAN for the same port, the switch automatically reconfigures the other VLAN setting to No. For example, if you configure Port A1 as Untagged for the 2nd VLAN, then the switch automatically reconfigures DEFAULT_VLAN for port A1 as No.

The Primary VLAN

Because certain features and management functions, such as single IP-address stacking, run on only one VLAN in the switch, and because DHCP and Bootp can run per-VLAN, there is a need for a 'dedicated management VLAN' to ensure that multiple instances of DHCP or Bootp on different VLANs do not result in conflicting configuration values for the switch. The primary VLAN is the VLAN the switch uses to run and manage these features and data. In the factory-default configuration, the switch designates the default VLAN (DEFAULT_VLAN) as the primary VLAN. However, to provide more control in your network, you can designate another VLAN as primary. To view the primary VLAN setting, use the VLAN Information screen in the menu interface or the SHOW VLANS command in the CLI. To change the primary VLAN setting, use the VLAN Information screen in the menu interface or the PRIMARY VLAN command in the CLI.

How To..

Access the VLAN Configuration Page from HP TopTools

1. Click on the Devices button in the navigation frame.
2. Select Device Types from the menu.
3. Select Networking Devices.
4. Double-click on the device in the device list.
5. In the Status page click on the Configuration tab. The device's configuration page displays.
6. Select the VLAN Configuration button. The VLAN Configuration page displays.

Access the VLAN Configuration page using the Web Agent

1. Click on the Configuration tab.
2. Select the VLAN Configuration button. The VLAN Configuration page displays.

Assign Ports to a VLAN

From the Main menu of the switch console:

1. Select 2. Switch Configuration
2. Select 7. VLAN Menu
3. Select 3. VLAN Port Assignment
4. Select Edit
5. Use the space bar to toggle through the possible configuration values for each port.

Add a VLAN

1. Click on the Add/Remove VLANs button at the bottom of the table in the VLAN Configuration page. The Add/Remove VLAN page displays.
2. Enter a name for the new VLAN in VLAN Name field below the Current VLAN Definitions list box.
3. Enter the 802.1Q ID (an unused number between 1 and 4094) in the field labeled 802.1Q VLAN ID.
4. Click onthe Add VLAN button. The VLAN appears in the Current VLAN Definitions box.

Rename a VLAN

1. Click on the Add/Remove VLANs button at the bottom of the table in the VLAN Configuration page. The Add/Remove VLAN page displays.
2. Select the VLAN to be renamed from the Current VLAN Definitions list.
3. Enter a name for the selected VLAN in the New VLAN Name field.
4. Click on the Rename Selected VLAN button to save the new name.

Remove a VLAN

1. Click on the Add/Remove VLANs button at the bottom of the table in the VLAN Configuration page. The Add/Remove VLAN page displays.
2. Select the VLAN to remove from the Current VLANS box.
3. Click on the Remove Selected VLAN button.
4. Confirm removal of the VLAN.

Modify Port VLAN Configuration

To modify ports in a VLAN:

1. In the VLAN table, click on the Modify button for the VLAN whose ports you want to modify. The Modify Port VLAN Configuration page displays.
2. Select the port to be modified.
3. Select the Mode, for example, Tagged.
4. Click on the Apply button.

The modes are:

• Tagged - When a port is tagged, it allows communication among the different VLANs to which it is assigned.
• Untagged - When a port is untagged, it can only be a member on one VLAN.
• No - The port is not a member of that VLAN.
• Forbid - The port is 'forbidden' to join that VLAN.

Enable GVRP and (Optionally) Change the GVRP Mode for a Port

The VLAN table includes a GVRP Enabled check box. If a check appears in this box, GVRP is enabled and the GVRP Mode button is active. To enable GVRP and view the current GVRP mode assignments for individual ports:

1. In the VLAN table, click on the GVRP Enabled check box to activate the GVRP Mode button.
2. In the VLAN table, click on the GVRP button to display the GVRP Mode page.
3. Select the ports for which you want to assign a different GVRP mode. Hold down the Shift key to select multiple ports.
4. In the drop-down list box, select the mode. The choices are:
   • Learn - The port will join the advertised VLAN and propagate a VLAN join request through all other forwarding ports that are participating in GVRP.
   • Disable - GVRP is disabled for this port.
   • Block - The port will not join the advertised VLAN and will not propagate any VLAN joins for the advertised VLAN. GVRP is totally blocked for this port.
5. Do one of the following:
   • To save your changes and return to the VLAN table, click on the Apply button.
   • To return to the VLAN table without saving any changes, click on the Cancel button.

Related Topics

VLAN operation with:

VLANs are a method for segmenting a network into related groups, improving the efficiency of traffic flow and limiting the propagation of multicast and broadcast messages. Traffic between VLANs is blocked unless the VLANs are connected by a router, increasing security.

A VLAN is a group of ports designated by the switch as belonging to the same broadcast domain. That is, all ports carrying traffic for a particular subnet address would belong to the same VLAN. Using a VLAN, you can group users by logical function instead of physical location. This helps to control bandwidth usage by allowing you to group high-bandwidth users on low-traffic segments and to organize users from different LAN segments according to their need for common resources. You can use the switch's console interface to configure up to 30 port-based, IEEE 802.1Q-compliant VLANs. This enables you to use the same port for two or more VLANs and still allows interoperation with older switches that require a separate port for each VLAN.

Hp Procurve 802.1 X Configuration Example Software

About GVRP

The GARP VLAN Registration Protocol (GVRP) is an 802.1Q-compliant method for facilitating automatic VLAN membership configuration. GVRP-enabled switches can exchange VLAN configuration information with other GVRP-enabled switches. Unnecessary broadcast traffic and unicast traffic also can be reduced.

Policy rules or other network management methods can determine who is admitted to a VLAN. When a node requests admission to a specific VLAN, GVRP handles the registration of the node with GVRP-enabled switches and maintains that information.

The GVRP protocol is described in the IEEE 802.1p standard.

For a more detailed description of how to use and configure VLANs, refer to the Management and Configuration Guide for your switch.

Devices supported:

• HP ProCurve Switches 1600M, 2400M, 2424M, 4000M, and 8000M
• HP ProCurve Series 2400 switches (2512 and 2524)
• HP ProCurve Series 4100GL switches (4104GL and 4108GL)
• HP ProCurve Series 5300XL switches (5304XL and 5308XL)

Note: If a switch is a Commander, the Stack options will appear at the top of the page.

Note: When multiple VLANs exist on a switch, only one VLAN can be untagged for each port. (In the default configuration, this is VLAN 1, the DEFAULT_VLAN.) When you add a second VLAN to a switch, the default setting on that VLAN is No for all ports. Using the Web browser interface, if you then reconfigure a port to Untagged for a new VLAN while there is an Untagged setting on another VLAN for the same port, the switch automatically reconfigures the other VLAN setting to No. For example, if you configure Port A1 as Untagged for the 2nd VLAN, then the switch automatically reconfigures DEFAULT_VLAN for port A1 as No.

The Primary VLAN

Because certain features and management functions, such as single IP-address stacking, run on only one VLAN in the switch, and because DHCP and Bootp can run per-VLAN, there is a need for a 'dedicated management VLAN' to ensure that multiple instances of DHCP or Bootp on different VLANs do not result in conflicting configuration values for the switch. The primary VLAN is the VLAN the switch uses to run and manage these features and data. In the factory-default configuration, the switch designates the default VLAN (DEFAULT_VLAN) as the primary VLAN. However, to provide more control in your network, you can designate another VLAN as primary. To view the primary VLAN setting, use the VLAN Information screen in the menu interface or the SHOW VLANS command in the CLI. To change the primary VLAN setting, use the VLAN Information screen in the menu interface or the PRIMARY VLAN command in the CLI.

How To..

Access the VLAN Configuration Page from HP TopTools

1. Click on the Devices button in the navigation frame.
2. Select Device Types from the menu.
3. Select Networking Devices.
4. Double-click on the device in the device list.
5. In the Status page click on the Configuration tab. The device's configuration page displays.
6. Select the VLAN Configuration button. The VLAN Configuration page displays.

Access the VLAN Configuration page using the Web Agent

1. Click on the Configuration tab.
2. Select the VLAN Configuration button. The VLAN Configuration page displays.

Assign Ports to a VLAN

From the Main menu of the switch console:

1. Select 2. Switch Configuration
2. Select 7. VLAN Menu
3. Select 3. VLAN Port Assignment
4. Select Edit
5. Use the space bar to toggle through the possible configuration values for each port.

Add a VLAN

1. Click on the Add/Remove VLANs button at the bottom of the table in the VLAN Configuration page. The Add/Remove VLAN page displays.
2. Enter a name for the new VLAN in VLAN Name field below the Current VLAN Definitions list box.
3. Enter the 802.1Q ID (an unused number between 1 and 4094) in the field labeled 802.1Q VLAN ID.
4. Click onthe Add VLAN button. The VLAN appears in the Current VLAN Definitions box.

Rename a VLAN

1. Click on the Add/Remove VLANs button at the bottom of the table in the VLAN Configuration page. The Add/Remove VLAN page displays.
2. Select the VLAN to be renamed from the Current VLAN Definitions list.
3. Enter a name for the selected VLAN in the New VLAN Name field.
4. Click on the Rename Selected VLAN button to save the new name.

Remove a VLAN

1. Click on the Add/Remove VLANs button at the bottom of the table in the VLAN Configuration page. The Add/Remove VLAN page displays.
2. Select the VLAN to remove from the Current VLANS box.
3. Click on the Remove Selected VLAN button.
4. Confirm removal of the VLAN.

Modify Port VLAN Configuration

To modify ports in a VLAN:

1. In the VLAN table, click on the Modify button for the VLAN whose ports you want to modify. The Modify Port VLAN Configuration page displays.
2. Select the port to be modified.
3. Select the Mode, for example, Tagged.
4. Click on the Apply button.

The modes are:

• Tagged - When a port is tagged, it allows communication among the different VLANs to which it is assigned.
• Untagged - When a port is untagged, it can only be a member on one VLAN.
• No - The port is not a member of that VLAN.
• Forbid - The port is 'forbidden' to join that VLAN.

Enable GVRP and (Optionally) Change the GVRP Mode for a Port

The VLAN table includes a GVRP Enabled check box. If a check appears in this box, GVRP is enabled and the GVRP Mode button is active. To enable GVRP and view the current GVRP mode assignments for individual ports:

1. In the VLAN table, click on the GVRP Enabled check box to activate the GVRP Mode button.
2. In the VLAN table, click on the GVRP button to display the GVRP Mode page.
3. Select the ports for which you want to assign a different GVRP mode. Hold down the Shift key to select multiple ports.
4. In the drop-down list box, select the mode. The choices are:
   • Learn - The port will join the advertised VLAN and propagate a VLAN join request through all other forwarding ports that are participating in GVRP.
   • Disable - GVRP is disabled for this port.
   • Block - The port will not join the advertised VLAN and will not propagate any VLAN joins for the advertised VLAN. GVRP is totally blocked for this port.
5. Do one of the following:
   • To save your changes and return to the VLAN table, click on the Apply button.
   • To return to the VLAN table without saving any changes, click on the Cancel button.

Related Topics

VLAN operation with:

Spanning Tree (STP and RSTP)

IP Multicast (IGMP)

Copyright © 2001-2002 by Hewlett-Packard Company

How to enable RADIUS switch login authentication on an HP switch - This article provides a general overview of how to windows domain usernames and passwords to log onto your HP switch.

It assumes you have a basic knowledge of Microsofts implementation of RADIUS, Network Policy Server (NPS)

Switch configuration

Configure the radius server configuration on the switch (Configure the Microsoft NPS RADIUS server, with a matching key)

Put the following configuration on the switch

Windows NPS / RADIUS Configuration

Set up your RADIUS server to allow the auth requests

I normally create a group in Active Directory, called NetworkAdmins, and then add the users who will be maintaining the switches to that group.

Add the switch as a client to NPS - I like to prefix all my switches with SW- so that I can reference all switches when I create policies

Match the shared secret with the key you created on the switch earlier

Hp Procurve 802.1 X Configuration Example Sheet

Wondershare mobile transfer key. And then the trickery to make it work, you are returning an attribute here.

Hp Procurve Switch Configuration Guide

Note, you may have to change the the source IP address, so that the switch sources the RADIUS requests from the correct IP address.

Hp Switch 802.1x

How to change the source IP address on an HP Provision switch