Configuring Dynamic VLAN assignment on ProCurve switches

Introduction

The information contained in this post describes how to configure an HP ProCurve switch and Windows 2008 R2 NPS RADIUS server to authorise and assign users dynamically into specific VLANs.

The switch used is an HP ProCurve model 2610-48 running firmware version R.11.72

Configure VLANs

Create VLANs, define IP address and IP helper-address

VLAN 30

name “VLAN30”

ip address 192.168.30.1 255.255.255.0

ip helper-address 192.168.20.20

VLAN 40

name “VLAN40”

ip address 192.168.40.1 255.255.255.0

ip helper-address 192.168.20.20

Configure RADIUS/802.1x

Define RADIUS server IP address and shared secret

radius-server host 192.168.20.20 key secret12

Configure 802.1x authentication type

aaa authentication port-access eap-radius

Configure ethernet ports 1-2 as authenticator ports

aaa port-access authenticator 1-2

Activates 802.1x port-access authentication on ports

aaa port-access authenticator active

Create Active Directory Groups

Authentication to the individual VLANs will be by Active Directory group membership for user or computer, therefore we need to create the appropriate the groups for use later in the NPS radius server policy.

Add a user to each of the groups

Windows 20008 R2 NPS (RADIUS) Configuration

Create an appropriately named NPS Policy to authorise users for each VLAN

Configure a “Condition” of Windows Group value of DOMAINNAME\GroupName

Configure the “Authentication Methods” as “Microsoft: Protected EAP (PEAP)”

Configure “RADIUS Attributes”

Tunnel-Medium-Type = 802

Tunnel-Pvt-Group-ID = VLAN Name or VLAN ID e.g “VLAN30” or “30”

Tunnel-Type = Virtual LANs (VLAN)

Configure Windows 7 computer to authenticate

Open Windows services and change the startup type of the service “Wired AutoConfig” to Automatic. Click Start service

Open “Network and Sharing Center”. Click “Change adapter settings”

Click “Local Area Connection” > “Properties” > “Authentication”

Ensure “Enable IEEE 802.1x authentication” is ticked

Ensure “Microsoft: Protected EAP (PEAP)” is selected from the dropdown box. Click Settings

If the client computers do not have a trusted root certificate un-check the tick box “Validate server certificate”. If you do have an internal CA and all client computers have the root CA in the computer certificate store leave checked.

If the client computer is not joined to the domain and you wish to prompt for authentication, select “Configure” and un-check “Automatic use my Windows logon….”

The steps above can also be configured via Group Policy

Testing

Connect a computer to a port configured for authentication

If using a non-domain joined computer and you have previously un-checked the tick box “Automatic use my Windows logon….” a balloon will appear “Additional information is needed to connect to this network”. Click the balloon and enter your domain credentials.

If you are on a domain joined computer, the authentication will be transparent to the user (you will not see the prompt for authentication as above).

From the switch, the command “Show port-access authenticator” will display useful troubleshooting information

When a user account is a member of “VLAN30” windows group, they will be authorised on the RADIUS server and the port will be dynamically assigned to VLAN 30.

If the user is successfully authenticated and is a member of “VLAN40” group the port would be dynamically assigned to VLAN 40.

5 thoughts on “Configuring Dynamic VLAN assignment on ProCurve switches”

  1. Hi There

    We have some IP Phones that we would like to automatically assign to a VLAN based on their MAC Address. How is this achieved. However so it is any other device, other than the list mac address, assign it to the default VLAN?
    Thanks

    1. Hi Ryan, not tried it but you can authenticate by MAC address

      “aaa port-access mac-based ”
      “aaa port-access mac-based [auth-vid ]” << VLAN for ip phones
      "aaa port-access mac-based [unauth-vid ]” << VLAN for machines that fail authentication

      Potentially another way of doing it would be to configure the ip phones with in a tagged vlan…..configure each port on the switch with a tagged vlan for voip and an untagged vlan for all other machines.

      HTH

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s