Configure 802.1x auth on 7150 stacks

david_levine — Fri, 25 Jun 2021 20:48:59 GMT

I need to get 802.1x auth configured on all of our ICX 7150 switches, and am reading through the documentation trying to learn. I came across this in the Security Guide/Flexible Authentication section:

"Before authentication is enabled on a port, the port can belong to any VLAN, including the system default VLAN. The only restriction is that the port cannot be a part of any VLAN as untagged."

Am I understanding this correctly? No ports can have an untagged VLAN on them at all?

As it stands today, all ports on our "IDF" or "Access" switches (switches that provide the end users ports to plug into), are unstagged on VLAN 1 and tagged on VLAN 333. VLAN 1 is what our main IP network is on... client machines, some servers, etc. VLAN 333 is used for our Mitel phone system and IP phone sets. So, if a Mitel IP phone is plugged into a port, it will get some DHCP options passed to it that will get it on the 333 VLAN (tagged) and the computer pass-through port on the back of the phone stays untagged on VLAN 1.

I am having a hard time understanding how this will work if we can't have VLAN 1 untagged on our ports?

Here is an example switch config currently;

ver 08.0.95bT213
!
stack unit 1
module 1 icx7150-24p-poe-port-management-module
module 2 icx7150-2-copper-port-2g-module
module 3 icx7150-4-sfp-plus-port-40g-module
stack-port 1/3/1
stack-port 1/3/3
!
!
global-stp
!
!
!
vlan 1 name DEFAULT-VLAN by port
router-interface ve 1
spanning-tree
!
vlan 25 name Honeywell by port
tagged ethe 1/3/1 to 1/3/4
!
vlan 101 name NAC_Corp1_WLAN_101 by port
tagged ethe 1/1/1 to 1/1/24 ethe 1/3/1 to 1/3/4
!
vlan 106 name NAC_Warehouse_WLAN_106 by port
tagged ethe 1/1/1 to 1/1/24 ethe 1/3/1 to 1/3/4
!
vlan 107 name NAC_Employee_Phone_WLAN_07 by port
tagged ethe 1/1/1 to 1/1/24 ethe 1/3/1 to 1/3/4
!
vlan 108 name "Ruckus AP" by port
tagged ethe 1/3/3
untagged ethe 1/1/21
!
vlan 333 name "voip vlan" by port
tagged ethe 1/1/1 to 1/1/20 ethe 1/1/22 to 1/1/24 ethe 1/3/1 to 1/3/4
!
!
!
!
!
!
!
!
!
aaa authentication login default local
enable aaa console
hostname "IDF EXP OFFICE"
ip dns server-address 8.8.8.8
ip route 0.0.0.0/0 190.1.200.235
!
telnet timeout 10
no telnet server
!
!
!
!
!
!
ntp
server ntp.ruckuswireless.com
!
!
!
!
manager registrar
manager registrar-list 34.66.194.73 34.66.194.74
manager active-list 34.66.194.74 34.66.194.73
!
manager port-list 987
!
!
!
!
!
!
!
!
!
interface management 1
disable
!
interface ve 1
ip address 190.1.5.51 255.255.0.0
!
!
!

!
!
!
!
!
!
!
!
!
!
!
end

Re: Configure 802.1x auth on 7150 stacks

hashim_bharooc1 — Fri, 25 Jun 2021 23:05:35 GMT

Hi David,

Hope you are doing Great!!!

you can change default vlan to any other vlan using the command from config mode:

con t

default-vlan-id 100

write memory

But you also need to consider your network design if you are using Cisco and using native vlan.

Hope this helps

Thanks

Hashim

Re: Configure 802.1x auth on 7150 stacks

jijo_panangat — Wed, 07 Jul 2021 03:54:35 GMT

Hi David,

On ICX, A port can be untagged on any single vlan and tagged to multiple vlans. This is the thumb rule. You can open a support case to have a quick call with support staff to clarify your questions as well.

Thanks

Jijo

topic Configure 802.1x auth on 7150 stacks in ICX Switches

Configure 802.1x auth on 7150 stacks

Re: Configure 802.1x auth on 7150 stacks

Re: Configure 802.1x auth on 7150 stacks