locked
Configuring NPS with dynamic VLAN assignment based on 802.1x authentication on 3com(HP) switches RRS feed

  • Question

  • Hi,

    I have several questions about implementing dynamic VLAN assignment based on 802.1x authentication on 3com switches - I hope it is the right place to ask. I'd be very glad to recieve any kind of help, believe me I've already tried to read any relevant material but I still can't understand few very basic things.

    My goal is to create several VLANS (for example: Servers, Laptops, Devices), and when a user logs in with his domain credentials - he will be put in the right VLAN (lets say in Laptops VLAN). I don't want to assign statically those ports, because they often move from one office to another. I know this could be achieved by using the NPS server, which will authenticate those users. As for devices - they will be assigned by their MAC address (or in any other way which you can recommend, this is the only way I know).

    Bottom line is that I need to enable communication for any device that is connected to the switch, which is not depended in the port that it is plugged to. 

    1. Should the VLANS be configured as MAC-based or port-based??

    2. Should I assign all ports on the switch to all VLANs I've created? How does it work?

    Thanks a lot for your help,

    Lena.

    • Moved by Aiden_Cao Friday, November 30, 2012 5:40 AM more appropriate (From:Network Infrastructure Servers)
    Tuesday, November 27, 2012 3:02 PM

Answers

All replies

  • Hi Leonora,

    As you mentioned, one way to achieve this is by using 802.1x network authentication. I fact it works like as following. You have three different components.

    Supplicant: Windows / Windows Phone / iOS / Android / etc...
    Authenticator: Switch / Wireless Access Point
    Authentication Server: Microsoft NPS (Network Policy Server)

    In fact, the supplicants communicate with 802.1x to and from the authenticator. The authenticator communicates with RADIUS to and from the authentication server. Simply said the supplicants authenticate against the authentication server, whereas your authenticato is in between. But this offers you more than only network authentication. In NPS you can configure so called Connection request Policies and Network Policies. This policy allow you to instruct your authenticator (e.g. your 3Com switch) you dynamicly asign the supplicant to a certain VLAN. There are different options to configure this.

    I know 802.1x enough, but not enough to tell you all options. One thing to keep in mind is this. Not all switches support the dynamic VLAN assignment. For example; I now have a Cisco Small Business Wireless Access Point that allows 802.1x authentication, but apparently does not support dynamic VLAN assignment on it. So that is really a thing have a look at it.

    I hope this information is usefull to you.


    Boudewijn Plomp, BPMi Infrastructure & Security

    Wednesday, November 28, 2012 3:27 PM
  • Hi Boudewijn!

    Thanks a lot for your reply.

    I do understand the basic concept of the solution infrastructure and how to implement it in general, I think that the most confusing part for me is the switch configuration. Actually, I'm really not sure if it supports dynamic VLAN assignment or not. Do you have any advice on how can I verify this?

    I read the manual (3Com 2928) and I saw that I have the option to configure 802.1x ports as MAC-based or Port-based. Should I also have a dynamic option? Where is this configured? Maybe you know a better place to ask in?

    Thanks again,

    Lena.

    Thursday, November 29, 2012 7:32 AM
  • I actually don't know. I'm not that long into the 802.1x area yet. That is one thing that I am questioning myself as well. I think is best you could ask the vendor.


    Boudewijn Plomp, BPMi Infrastructure & Security

    Thursday, November 29, 2012 7:53 AM
  • Hi,

    Thanks for your post.

    In order to use network policy to assign users to a VLAN, you need to use VLAN-aware network hardware. It appears that your device supports to create VLANs. Generally, unmanaged switches will not support Dynamic VLAN with NPS.

    For more detailed information about configuration, please refer to the following article. Hope it helps.

    Configure a Network Policy for VLANs

    http://technet.microsoft.com/en-us/library/cc772124(v=ws.10).aspx

    VLAN Attributes Used in Network Policy

    http://technet.microsoft.com/en-us/library/cc754422(v=ws.10).aspx

    Best Regards,

    Aiden


    Aiden Cao
    TechNet Community Support

    • Proposed as answer by Aiden_Cao Tuesday, December 4, 2012 1:52 AM
    • Marked as answer by Aiden_Cao Wednesday, December 5, 2012 2:07 AM
    Friday, November 30, 2012 6:11 AM