Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Assistance with VLAN Tagging Issue on Aruba 2930F and packetfence v14 #8396

Open
farbodfjs opened this issue Nov 21, 2024 · 1 comment
Open

Comments

@farbodfjs
Copy link

farbodfjs commented Nov 21, 2024

Hello ,

We are facing the following situation:

I have an Aruba 2930F switch where I can successfully authenticate users, printers, and other devices.

I want to enable 802.1X on a switchport connected to my Meraki access point. Authentication for the access point itself works correctly. Additionally, I can authenticate wireless users connected to the Meraki access points via PacketFence, and users receive the correct VLAN ID from PacketFence.

However, the problem begins here:

  • The wireless user authenticated via PacketFence should belong to VLAN 10.
  • The switchport where the access point is connected is also authenticated and correctly placed in VLAN 60.
  • Unfortunately, no other VLAN tagging is allowed on this port (dont know how to permit vlan tagging), so the wireless client does not receive an IP address in VLAN 10.

Is there a way to configure PacketFence to allow other VLAN tagging on the switchport connected to the access point?

Or am I misunderstanding this setup? Should the switch be configured to allow other VLAN tags once the access point authentication is successful?

here is the port config:
interface 2/7
tagged vlan 10
untagged vlan 1
no snmp-server enable traps link-change
aaa port-access authenticator
aaa port-access authenticator reauth-period 28800
aaa port-access authenticator client-limit 32
aaa port-access mac-based
aaa port-access mac-based addr-limit 32
aaa port-access mac-based addr-moves
aaa port-access mac-based reauth-period 3600
aaa port-access mac-based unauth-vid 1
aaa port-access controlled-direction in
spanning-tree admin-edge-port
spanning-tree bpdu-protection
exit

image

Thank you for your assistance.

Best regards,
Farbod

@farbodfjs
Copy link
Author

by the way, everything ports if i deactivate the dot1x on switchport connected to meraki access point. which means the users land in a correct vlan id 10 with tags and get an ip address.
however i like to also secure the port with dot1x.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

1 participant