Instant On - Wired

Hello Community,

I recently purchased this switch because the manual indicates it supports MAC-based authentication from RADIUS.

I've configured the switch to talk to my RADIUS server on my router and supply the correct vlan-id to the port.

My router is on port#1 and ap is on port#5. Conducting test with port untagged with specific vlan-id works (ie; I untag port #6 with vlan-id 99 and my router hands out the proper IP, so I know the switch works this way. Changing the port untagged vlan-id to any of my vlans results in the same, I get an IP from router in that vlan.)

My intent is vlan1 is management vlan, vlan20,90,99 are specific vlans.

I got it working exactly once and then it stopped working. Even reset switch to factory and re-implemented config, couldn't get it working again.

My config:

config-file-header
TW10KPB1DB
vInstantOn_1930_2.7.0.0 (103) / RHPE1_932_235_006
SKU Description "Aruba Instant On 1930 8G 2SFP Switch JL680A"
@
!
unit-type-control-start 
unit-type unit 1 network gi uplink none 
unit-type-control-end 
!
vlan database
vlan 20,90,99 
exit
voice vlan oui-table add 0001e3 Siemens_AG_phone
voice vlan oui-table add 00036b Cisco_phone
voice vlan oui-table add 00096e Avaya
voice vlan oui-table add 000fe2 3Com
voice vlan oui-table add 0060b9 H3C
voice vlan oui-table add 64167f Polycom
voice vlan oui-table add 805e0c Yealink
port-channel load-balance src-dst-mac
dot1x system-auth-control
ip dhcp relay enable
priority-queue out num-of-queues 0 
hostname TW10KPB1DB
radius-server host 192.168.1.254 key <redacted> priority 1 
logging buffered debugging 
aaa accounting dot1x start-stop group radius
username switchadmin password encrypted <redacted> privilege 15 
snmp-server engineid local default 
clock timezone MST -7
clock summer-time J recurring usa 
clock source sntp
sntp unicast client enable
sntp unicast client poll
sntp server 162.159.200.123 poll 
sntp port 123
!
interface vlan 20
 name SRV 
!
interface vlan 90
 name IOT 
!
interface vlan 99
 name GUEST 
!
interface 1
 ip dhcp snooping trust 
 switchport general allowed vlan add 20,90,99 tagged 
 switchport general allowed vlan add 1 untagged 
 lldp med notifications topology-change enable 
 lldp med enable network-policy
!
interface 2
 lldp med notifications topology-change enable 
 lldp med enable network-policy
!
interface 3
 lldp med notifications topology-change enable 
 lldp med enable network-policy
!
interface 4
 lldp med notifications topology-change enable 
 lldp med enable network-policy
!
interface 5
 dot1x host-mode multi-sessions 
 dot1x reauthentication 
 dot1x authentication 802.1x mac 
 dot1x radius-attributes vlan static 
 authentication open 
 dot1x max-hosts 32 
 dot1x port-control auto 
 ip dhcp snooping trust 
 switchport general allowed vlan add 20,90,99 tagged 
 switchport general allowed vlan add 1 untagged 
 lldp med notifications topology-change enable 
 lldp med enable network-policy
!
interface 6
 lldp med notifications topology-change enable 
 lldp med enable network-policy
!
interface 7
 channel-group 1 mode auto 
 lldp med notifications topology-change enable 
 lldp med enable network-policy
!
interface 8
 channel-group 1 mode auto 
 lldp med notifications topology-change enable 
 lldp med enable network-policy
!
interface 9
 lldp med notifications topology-change enable 
 lldp med enable network-policy
!
interface 10
 lldp med notifications topology-change enable 
 lldp med enable network-policy
!
interface TRK1
 speed 1000 
 description FREENAS
 switchport general allowed vlan add 20,90,99 tagged 
 switchport general allowed vlan add 1 untagged 
!
exit
no ip dhcp snooping verify 
ip dhcp snooping vlan 1 
ip dhcp snooping vlan 20 
ip dhcp snooping vlan 90 
ip dhcp snooping vlan 99 

Switch is running current firmware of 2.7.0

I've seen posts here that this switch doesn't support dynamic vlan, I'm not sure that's true anymore as I said, I got it working once and then it stopped working.

I'm hoping the answer isn't talking to support, when I did they just told me to factory reset the switch and there was no follow-up even though they asked my contact details. Never received an email either.

------------------------------
Chris
------------------------------

Hey Chris,

Thank you for sharing your concern. I've shared this with my team, and once they provide me with more insight, I'll update you. 

Hello Community,

I recently purchased this switch because the manual indicates it supports MAC-based authentication from RADIUS.

I've configured the switch to talk to my RADIUS server on my router and supply the correct vlan-id to the port.

My router is on port#1 and ap is on port#5. Conducting test with port untagged with specific vlan-id works (ie; I untag port #6 with vlan-id 99 and my router hands out the proper IP, so I know the switch works this way. Changing the port untagged vlan-id to any of my vlans results in the same, I get an IP from router in that vlan.)

My intent is vlan1 is management vlan, vlan20,90,99 are specific vlans.

I got it working exactly once and then it stopped working. Even reset switch to factory and re-implemented config, couldn't get it working again.

My config:

config-file-header
TW10KPB1DB
vInstantOn_1930_2.7.0.0 (103) / RHPE1_932_235_006
SKU Description "Aruba Instant On 1930 8G 2SFP Switch JL680A"
@
!
unit-type-control-start 
unit-type unit 1 network gi uplink none 
unit-type-control-end 
!
vlan database
vlan 20,90,99 
exit
voice vlan oui-table add 0001e3 Siemens_AG_phone
voice vlan oui-table add 00036b Cisco_phone
voice vlan oui-table add 00096e Avaya
voice vlan oui-table add 000fe2 3Com
voice vlan oui-table add 0060b9 H3C
voice vlan oui-table add 64167f Polycom
voice vlan oui-table add 805e0c Yealink
port-channel load-balance src-dst-mac
dot1x system-auth-control
ip dhcp relay enable
priority-queue out num-of-queues 0 
hostname TW10KPB1DB
radius-server host 192.168.1.254 key <redacted> priority 1 
logging buffered debugging 
aaa accounting dot1x start-stop group radius
username switchadmin password encrypted <redacted> privilege 15 
snmp-server engineid local default 
clock timezone MST -7
clock summer-time J recurring usa 
clock source sntp
sntp unicast client enable
sntp unicast client poll
sntp server 162.159.200.123 poll 
sntp port 123
!
interface vlan 20
 name SRV 
!
interface vlan 90
 name IOT 
!
interface vlan 99
 name GUEST 
!
interface 1
 ip dhcp snooping trust 
 switchport general allowed vlan add 20,90,99 tagged 
 switchport general allowed vlan add 1 untagged 
 lldp med notifications topology-change enable 
 lldp med enable network-policy
!
interface 2
 lldp med notifications topology-change enable 
 lldp med enable network-policy
!
interface 3
 lldp med notifications topology-change enable 
 lldp med enable network-policy
!
interface 4
 lldp med notifications topology-change enable 
 lldp med enable network-policy
!
interface 5
 dot1x host-mode multi-sessions 
 dot1x reauthentication 
 dot1x authentication 802.1x mac 
 dot1x radius-attributes vlan static 
 authentication open 
 dot1x max-hosts 32 
 dot1x port-control auto 
 ip dhcp snooping trust 
 switchport general allowed vlan add 20,90,99 tagged 
 switchport general allowed vlan add 1 untagged 
 lldp med notifications topology-change enable 
 lldp med enable network-policy
!
interface 6
 lldp med notifications topology-change enable 
 lldp med enable network-policy
!
interface 7
 channel-group 1 mode auto 
 lldp med notifications topology-change enable 
 lldp med enable network-policy
!
interface 8
 channel-group 1 mode auto 
 lldp med notifications topology-change enable 
 lldp med enable network-policy
!
interface 9
 lldp med notifications topology-change enable 
 lldp med enable network-policy
!
interface 10
 lldp med notifications topology-change enable 
 lldp med enable network-policy
!
interface TRK1
 speed 1000 
 description FREENAS
 switchport general allowed vlan add 20,90,99 tagged 
 switchport general allowed vlan add 1 untagged 
!
exit
no ip dhcp snooping verify 
ip dhcp snooping vlan 1 
ip dhcp snooping vlan 20 
ip dhcp snooping vlan 90 
ip dhcp snooping vlan 99 

Switch is running current firmware of 2.7.0

I've seen posts here that this switch doesn't support dynamic vlan, I'm not sure that's true anymore as I said, I got it working once and then it stopped working.

I'm hoping the answer isn't talking to support, when I did they just told me to factory reset the switch and there was no follow-up even though they asked my contact details. Never received an email either.

------------------------------
Chris
------------------------------

Much appreciated. I've noticed during testing that sometimes the port is in HELD status. The AP does indeed authenticate against RADIUS and if I tell the AP not to use RADIUS (and allow the switch to do the work) I can see the switch successfully authenticates the MAC from RADIUS but vlan never switches. The output from my RADIUS using a test MAC:

root@OPNsense:~ # radtest 46ac4066790e 46ac4066790e 127.0.0.1 0 radius123
Sent Access-Request Id 212 from 0.0.0.0:2075 to 127.0.0.1:1812 length 82
        User-Name = "46ac4066790e"
        User-Password = "46ac4066790e"
        NAS-IP-Address = 192.168.1.254
        NAS-Port = 0
        Message-Authenticator = 0x00
        Cleartext-Password = "46ac4066790e"
Received Access-Accept Id 212 from 127.0.0.1:1812 to 127.0.0.1:2075 length 42
        Tunnel-Type:0 = VLAN
        Tunnel-Medium-Type:0 = IEEE-802
        Tunnel-Private-Group-Id:0 = "99"
        Framed-Protocol = PPP

I've run out of ideas. It was working but stopped when I started adding more vlans (I tested with vlan1+vlan99) and I've not being able to reproduce since.

Hey Chris,

Thank you for sharing your concern. I've shared this with my team, and once they provide me with more insight, I'll update you. 

Hello Community,

I recently purchased this switch because the manual indicates it supports MAC-based authentication from RADIUS.

I've configured the switch to talk to my RADIUS server on my router and supply the correct vlan-id to the port.

My router is on port#1 and ap is on port#5. Conducting test with port untagged with specific vlan-id works (ie; I untag port #6 with vlan-id 99 and my router hands out the proper IP, so I know the switch works this way. Changing the port untagged vlan-id to any of my vlans results in the same, I get an IP from router in that vlan.)

My intent is vlan1 is management vlan, vlan20,90,99 are specific vlans.

I got it working exactly once and then it stopped working. Even reset switch to factory and re-implemented config, couldn't get it working again.

My config:

config-file-header
TW10KPB1DB
vInstantOn_1930_2.7.0.0 (103) / RHPE1_932_235_006
SKU Description "Aruba Instant On 1930 8G 2SFP Switch JL680A"
@
!
unit-type-control-start 
unit-type unit 1 network gi uplink none 
unit-type-control-end 
!
vlan database
vlan 20,90,99 
exit
voice vlan oui-table add 0001e3 Siemens_AG_phone
voice vlan oui-table add 00036b Cisco_phone
voice vlan oui-table add 00096e Avaya
voice vlan oui-table add 000fe2 3Com
voice vlan oui-table add 0060b9 H3C
voice vlan oui-table add 64167f Polycom
voice vlan oui-table add 805e0c Yealink
port-channel load-balance src-dst-mac
dot1x system-auth-control
ip dhcp relay enable
priority-queue out num-of-queues 0 
hostname TW10KPB1DB
radius-server host 192.168.1.254 key <redacted> priority 1 
logging buffered debugging 
aaa accounting dot1x start-stop group radius
username switchadmin password encrypted <redacted> privilege 15 
snmp-server engineid local default 
clock timezone MST -7
clock summer-time J recurring usa 
clock source sntp
sntp unicast client enable
sntp unicast client poll
sntp server 162.159.200.123 poll 
sntp port 123
!
interface vlan 20
 name SRV 
!
interface vlan 90
 name IOT 
!
interface vlan 99
 name GUEST 
!
interface 1
 ip dhcp snooping trust 
 switchport general allowed vlan add 20,90,99 tagged 
 switchport general allowed vlan add 1 untagged 
 lldp med notifications topology-change enable 
 lldp med enable network-policy
!
interface 2
 lldp med notifications topology-change enable 
 lldp med enable network-policy
!
interface 3
 lldp med notifications topology-change enable 
 lldp med enable network-policy
!
interface 4
 lldp med notifications topology-change enable 
 lldp med enable network-policy
!
interface 5
 dot1x host-mode multi-sessions 
 dot1x reauthentication 
 dot1x authentication 802.1x mac 
 dot1x radius-attributes vlan static 
 authentication open 
 dot1x max-hosts 32 
 dot1x port-control auto 
 ip dhcp snooping trust 
 switchport general allowed vlan add 20,90,99 tagged 
 switchport general allowed vlan add 1 untagged 
 lldp med notifications topology-change enable 
 lldp med enable network-policy
!
interface 6
 lldp med notifications topology-change enable 
 lldp med enable network-policy
!
interface 7
 channel-group 1 mode auto 
 lldp med notifications topology-change enable 
 lldp med enable network-policy
!
interface 8
 channel-group 1 mode auto 
 lldp med notifications topology-change enable 
 lldp med enable network-policy
!
interface 9
 lldp med notifications topology-change enable 
 lldp med enable network-policy
!
interface 10
 lldp med notifications topology-change enable 
 lldp med enable network-policy
!
interface TRK1
 speed 1000 
 description FREENAS
 switchport general allowed vlan add 20,90,99 tagged 
 switchport general allowed vlan add 1 untagged 
!
exit
no ip dhcp snooping verify 
ip dhcp snooping vlan 1 
ip dhcp snooping vlan 20 
ip dhcp snooping vlan 90 
ip dhcp snooping vlan 99 

Switch is running current firmware of 2.7.0

I've seen posts here that this switch doesn't support dynamic vlan, I'm not sure that's true anymore as I said, I got it working once and then it stopped working.

I'm hoping the answer isn't talking to support, when I did they just told me to factory reset the switch and there was no follow-up even though they asked my contact details. Never received an email either.

------------------------------
Chris
------------------------------

Hey Chris,

I connected with my team and they would like to connect with you directly via our support team. Can you reach out to them by clicking the link: https://www.arubainstanton.com/contact-support/ 

Much appreciated. I've noticed during testing that sometimes the port is in HELD status. The AP does indeed authenticate against RADIUS and if I tell the AP not to use RADIUS (and allow the switch to do the work) I can see the switch successfully authenticates the MAC from RADIUS but vlan never switches. The output from my RADIUS using a test MAC:

root@OPNsense:~ # radtest 46ac4066790e 46ac4066790e 127.0.0.1 0 radius123
Sent Access-Request Id 212 from 0.0.0.0:2075 to 127.0.0.1:1812 length 82
        User-Name = "46ac4066790e"
        User-Password = "46ac4066790e"
        NAS-IP-Address = 192.168.1.254
        NAS-Port = 0
        Message-Authenticator = 0x00
        Cleartext-Password = "46ac4066790e"
Received Access-Accept Id 212 from 127.0.0.1:1812 to 127.0.0.1:2075 length 42
        Tunnel-Type:0 = VLAN
        Tunnel-Medium-Type:0 = IEEE-802
        Tunnel-Private-Group-Id:0 = "99"
        Framed-Protocol = PPP

I've run out of ideas. It was working but stopped when I started adding more vlans (I tested with vlan1+vlan99) and I've not being able to reproduce since.

Hey Chris,

Thank you for sharing your concern. I've shared this with my team, and once they provide me with more insight, I'll update you. 

Hello Community,

I recently purchased this switch because the manual indicates it supports MAC-based authentication from RADIUS.

I've configured the switch to talk to my RADIUS server on my router and supply the correct vlan-id to the port.

My router is on port#1 and ap is on port#5. Conducting test with port untagged with specific vlan-id works (ie; I untag port #6 with vlan-id 99 and my router hands out the proper IP, so I know the switch works this way. Changing the port untagged vlan-id to any of my vlans results in the same, I get an IP from router in that vlan.)

My intent is vlan1 is management vlan, vlan20,90,99 are specific vlans.

I got it working exactly once and then it stopped working. Even reset switch to factory and re-implemented config, couldn't get it working again.

My config:

config-file-header
TW10KPB1DB
vInstantOn_1930_2.7.0.0 (103) / RHPE1_932_235_006
SKU Description "Aruba Instant On 1930 8G 2SFP Switch JL680A"
@
!
unit-type-control-start 
unit-type unit 1 network gi uplink none 
unit-type-control-end 
!
vlan database
vlan 20,90,99 
exit
voice vlan oui-table add 0001e3 Siemens_AG_phone
voice vlan oui-table add 00036b Cisco_phone
voice vlan oui-table add 00096e Avaya
voice vlan oui-table add 000fe2 3Com
voice vlan oui-table add 0060b9 H3C
voice vlan oui-table add 64167f Polycom
voice vlan oui-table add 805e0c Yealink
port-channel load-balance src-dst-mac
dot1x system-auth-control
ip dhcp relay enable
priority-queue out num-of-queues 0 
hostname TW10KPB1DB
radius-server host 192.168.1.254 key <redacted> priority 1 
logging buffered debugging 
aaa accounting dot1x start-stop group radius
username switchadmin password encrypted <redacted> privilege 15 
snmp-server engineid local default 
clock timezone MST -7
clock summer-time J recurring usa 
clock source sntp
sntp unicast client enable
sntp unicast client poll
sntp server 162.159.200.123 poll 
sntp port 123
!
interface vlan 20
 name SRV 
!
interface vlan 90
 name IOT 
!
interface vlan 99
 name GUEST 
!
interface 1
 ip dhcp snooping trust 
 switchport general allowed vlan add 20,90,99 tagged 
 switchport general allowed vlan add 1 untagged 
 lldp med notifications topology-change enable 
 lldp med enable network-policy
!
interface 2
 lldp med notifications topology-change enable 
 lldp med enable network-policy
!
interface 3
 lldp med notifications topology-change enable 
 lldp med enable network-policy
!
interface 4
 lldp med notifications topology-change enable 
 lldp med enable network-policy
!
interface 5
 dot1x host-mode multi-sessions 
 dot1x reauthentication 
 dot1x authentication 802.1x mac 
 dot1x radius-attributes vlan static 
 authentication open 
 dot1x max-hosts 32 
 dot1x port-control auto 
 ip dhcp snooping trust 
 switchport general allowed vlan add 20,90,99 tagged 
 switchport general allowed vlan add 1 untagged 
 lldp med notifications topology-change enable 
 lldp med enable network-policy
!
interface 6
 lldp med notifications topology-change enable 
 lldp med enable network-policy
!
interface 7
 channel-group 1 mode auto 
 lldp med notifications topology-change enable 
 lldp med enable network-policy
!
interface 8
 channel-group 1 mode auto 
 lldp med notifications topology-change enable 
 lldp med enable network-policy
!
interface 9
 lldp med notifications topology-change enable 
 lldp med enable network-policy
!
interface 10
 lldp med notifications topology-change enable 
 lldp med enable network-policy
!
interface TRK1
 speed 1000 
 description FREENAS
 switchport general allowed vlan add 20,90,99 tagged 
 switchport general allowed vlan add 1 untagged 
!
exit
no ip dhcp snooping verify 
ip dhcp snooping vlan 1 
ip dhcp snooping vlan 20 
ip dhcp snooping vlan 90 
ip dhcp snooping vlan 99 

Switch is running current firmware of 2.7.0

I've seen posts here that this switch doesn't support dynamic vlan, I'm not sure that's true anymore as I said, I got it working once and then it stopped working.

I'm hoping the answer isn't talking to support, when I did they just told me to factory reset the switch and there was no follow-up even though they asked my contact details. Never received an email either.

------------------------------
Chris
------------------------------

Hey Chris,

Thank you for sharing your concern. I've shared this with my team, and once they provide me with more insight, I'll update you. 

Hello Community,

I recently purchased this switch because the manual indicates it supports MAC-based authentication from RADIUS.

I've configured the switch to talk to my RADIUS server on my router and supply the correct vlan-id to the port.

My router is on port#1 and ap is on port#5. Conducting test with port untagged with specific vlan-id works (ie; I untag port #6 with vlan-id 99 and my router hands out the proper IP, so I know the switch works this way. Changing the port untagged vlan-id to any of my vlans results in the same, I get an IP from router in that vlan.)

My intent is vlan1 is management vlan, vlan20,90,99 are specific vlans.

I got it working exactly once and then it stopped working. Even reset switch to factory and re-implemented config, couldn't get it working again.

My config:

config-file-header
TW10KPB1DB
vInstantOn_1930_2.7.0.0 (103) / RHPE1_932_235_006
SKU Description "Aruba Instant On 1930 8G 2SFP Switch JL680A"
@
!
unit-type-control-start 
unit-type unit 1 network gi uplink none 
unit-type-control-end 
!
vlan database
vlan 20,90,99 
exit
voice vlan oui-table add 0001e3 Siemens_AG_phone
voice vlan oui-table add 00036b Cisco_phone
voice vlan oui-table add 00096e Avaya
voice vlan oui-table add 000fe2 3Com
voice vlan oui-table add 0060b9 H3C
voice vlan oui-table add 64167f Polycom
voice vlan oui-table add 805e0c Yealink
port-channel load-balance src-dst-mac
dot1x system-auth-control
ip dhcp relay enable
priority-queue out num-of-queues 0 
hostname TW10KPB1DB
radius-server host 192.168.1.254 key <redacted> priority 1 
logging buffered debugging 
aaa accounting dot1x start-stop group radius
username switchadmin password encrypted <redacted> privilege 15 
snmp-server engineid local default 
clock timezone MST -7
clock summer-time J recurring usa 
clock source sntp
sntp unicast client enable
sntp unicast client poll
sntp server 162.159.200.123 poll 
sntp port 123
!
interface vlan 20
 name SRV 
!
interface vlan 90
 name IOT 
!
interface vlan 99
 name GUEST 
!
interface 1
 ip dhcp snooping trust 
 switchport general allowed vlan add 20,90,99 tagged 
 switchport general allowed vlan add 1 untagged 
 lldp med notifications topology-change enable 
 lldp med enable network-policy
!
interface 2
 lldp med notifications topology-change enable 
 lldp med enable network-policy
!
interface 3
 lldp med notifications topology-change enable 
 lldp med enable network-policy
!
interface 4
 lldp med notifications topology-change enable 
 lldp med enable network-policy
!
interface 5
 dot1x host-mode multi-sessions 
 dot1x reauthentication 
 dot1x authentication 802.1x mac 
 dot1x radius-attributes vlan static 
 authentication open 
 dot1x max-hosts 32 
 dot1x port-control auto 
 ip dhcp snooping trust 
 switchport general allowed vlan add 20,90,99 tagged 
 switchport general allowed vlan add 1 untagged 
 lldp med notifications topology-change enable 
 lldp med enable network-policy
!
interface 6
 lldp med notifications topology-change enable 
 lldp med enable network-policy
!
interface 7
 channel-group 1 mode auto 
 lldp med notifications topology-change enable 
 lldp med enable network-policy
!
interface 8
 channel-group 1 mode auto 
 lldp med notifications topology-change enable 
 lldp med enable network-policy
!
interface 9
 lldp med notifications topology-change enable 
 lldp med enable network-policy
!
interface 10
 lldp med notifications topology-change enable 
 lldp med enable network-policy
!
interface TRK1
 speed 1000 
 description FREENAS
 switchport general allowed vlan add 20,90,99 tagged 
 switchport general allowed vlan add 1 untagged 
!
exit
no ip dhcp snooping verify 
ip dhcp snooping vlan 1 
ip dhcp snooping vlan 20 
ip dhcp snooping vlan 90 
ip dhcp snooping vlan 99 

Switch is running current firmware of 2.7.0

I've seen posts here that this switch doesn't support dynamic vlan, I'm not sure that's true anymore as I said, I got it working once and then it stopped working.

I'm hoping the answer isn't talking to support, when I did they just told me to factory reset the switch and there was no follow-up even though they asked my contact details. Never received an email either.

------------------------------
Chris
------------------------------

I forgot to note that the AP successfully authenticates through the switch to RADIUS and I can see it listed in the Access Control Client Information panel under Port Security > Port Access Control including being in vlan1 untagged (where I want it to be.)

Hey Chris,

Thank you for sharing your concern. I've shared this with my team, and once they provide me with more insight, I'll update you. 

Hello Community,

I recently purchased this switch because the manual indicates it supports MAC-based authentication from RADIUS.

I've configured the switch to talk to my RADIUS server on my router and supply the correct vlan-id to the port.

My router is on port#1 and ap is on port#5. Conducting test with port untagged with specific vlan-id works (ie; I untag port #6 with vlan-id 99 and my router hands out the proper IP, so I know the switch works this way. Changing the port untagged vlan-id to any of my vlans results in the same, I get an IP from router in that vlan.)

My intent is vlan1 is management vlan, vlan20,90,99 are specific vlans.

I got it working exactly once and then it stopped working. Even reset switch to factory and re-implemented config, couldn't get it working again.

My config:

config-file-header
TW10KPB1DB
vInstantOn_1930_2.7.0.0 (103) / RHPE1_932_235_006
SKU Description "Aruba Instant On 1930 8G 2SFP Switch JL680A"
@
!
unit-type-control-start 
unit-type unit 1 network gi uplink none 
unit-type-control-end 
!
vlan database
vlan 20,90,99 
exit
voice vlan oui-table add 0001e3 Siemens_AG_phone
voice vlan oui-table add 00036b Cisco_phone
voice vlan oui-table add 00096e Avaya
voice vlan oui-table add 000fe2 3Com
voice vlan oui-table add 0060b9 H3C
voice vlan oui-table add 64167f Polycom
voice vlan oui-table add 805e0c Yealink
port-channel load-balance src-dst-mac
dot1x system-auth-control
ip dhcp relay enable
priority-queue out num-of-queues 0 
hostname TW10KPB1DB
radius-server host 192.168.1.254 key <redacted> priority 1 
logging buffered debugging 
aaa accounting dot1x start-stop group radius
username switchadmin password encrypted <redacted> privilege 15 
snmp-server engineid local default 
clock timezone MST -7
clock summer-time J recurring usa 
clock source sntp
sntp unicast client enable
sntp unicast client poll
sntp server 162.159.200.123 poll 
sntp port 123
!
interface vlan 20
 name SRV 
!
interface vlan 90
 name IOT 
!
interface vlan 99
 name GUEST 
!
interface 1
 ip dhcp snooping trust 
 switchport general allowed vlan add 20,90,99 tagged 
 switchport general allowed vlan add 1 untagged 
 lldp med notifications topology-change enable 
 lldp med enable network-policy
!
interface 2
 lldp med notifications topology-change enable 
 lldp med enable network-policy
!
interface 3
 lldp med notifications topology-change enable 
 lldp med enable network-policy
!
interface 4
 lldp med notifications topology-change enable 
 lldp med enable network-policy
!
interface 5
 dot1x host-mode multi-sessions 
 dot1x reauthentication 
 dot1x authentication 802.1x mac 
 dot1x radius-attributes vlan static 
 authentication open 
 dot1x max-hosts 32 
 dot1x port-control auto 
 ip dhcp snooping trust 
 switchport general allowed vlan add 20,90,99 tagged 
 switchport general allowed vlan add 1 untagged 
 lldp med notifications topology-change enable 
 lldp med enable network-policy
!
interface 6
 lldp med notifications topology-change enable 
 lldp med enable network-policy
!
interface 7
 channel-group 1 mode auto 
 lldp med notifications topology-change enable 
 lldp med enable network-policy
!
interface 8
 channel-group 1 mode auto 
 lldp med notifications topology-change enable 
 lldp med enable network-policy
!
interface 9
 lldp med notifications topology-change enable 
 lldp med enable network-policy
!
interface 10
 lldp med notifications topology-change enable 
 lldp med enable network-policy
!
interface TRK1
 speed 1000 
 description FREENAS
 switchport general allowed vlan add 20,90,99 tagged 
 switchport general allowed vlan add 1 untagged 
!
exit
no ip dhcp snooping verify 
ip dhcp snooping vlan 1 
ip dhcp snooping vlan 20 
ip dhcp snooping vlan 90 
ip dhcp snooping vlan 99 

Switch is running current firmware of 2.7.0

I've seen posts here that this switch doesn't support dynamic vlan, I'm not sure that's true anymore as I said, I got it working once and then it stopped working.

I'm hoping the answer isn't talking to support, when I did they just told me to factory reset the switch and there was no follow-up even though they asked my contact details. Never received an email either.

------------------------------
Chris
------------------------------

Hi Chris,

Not sure if this helps - but for our ports that use dynamic vlan assignment, we don't have the vlans tagged or untagged in the config. Might be that it's not setting it to "untagged" because they're already "Tagged"?

I forgot to note that the AP successfully authenticates through the switch to RADIUS and I can see it listed in the Access Control Client Information panel under Port Security > Port Access Control including being in vlan1 untagged (where I want it to be.)

Hey Chris,

Thank you for sharing your concern. I've shared this with my team, and once they provide me with more insight, I'll update you. 

Hello Community,

I recently purchased this switch because the manual indicates it supports MAC-based authentication from RADIUS.

I've configured the switch to talk to my RADIUS server on my router and supply the correct vlan-id to the port.

My router is on port#1 and ap is on port#5. Conducting test with port untagged with specific vlan-id works (ie; I untag port #6 with vlan-id 99 and my router hands out the proper IP, so I know the switch works this way. Changing the port untagged vlan-id to any of my vlans results in the same, I get an IP from router in that vlan.)

My intent is vlan1 is management vlan, vlan20,90,99 are specific vlans.

I got it working exactly once and then it stopped working. Even reset switch to factory and re-implemented config, couldn't get it working again.

My config:

config-file-header
TW10KPB1DB
vInstantOn_1930_2.7.0.0 (103) / RHPE1_932_235_006
SKU Description "Aruba Instant On 1930 8G 2SFP Switch JL680A"
@
!
unit-type-control-start 
unit-type unit 1 network gi uplink none 
unit-type-control-end 
!
vlan database
vlan 20,90,99 
exit
voice vlan oui-table add 0001e3 Siemens_AG_phone
voice vlan oui-table add 00036b Cisco_phone
voice vlan oui-table add 00096e Avaya
voice vlan oui-table add 000fe2 3Com
voice vlan oui-table add 0060b9 H3C
voice vlan oui-table add 64167f Polycom
voice vlan oui-table add 805e0c Yealink
port-channel load-balance src-dst-mac
dot1x system-auth-control
ip dhcp relay enable
priority-queue out num-of-queues 0 
hostname TW10KPB1DB
radius-server host 192.168.1.254 key <redacted> priority 1 
logging buffered debugging 
aaa accounting dot1x start-stop group radius
username switchadmin password encrypted <redacted> privilege 15 
snmp-server engineid local default 
clock timezone MST -7
clock summer-time J recurring usa 
clock source sntp
sntp unicast client enable
sntp unicast client poll
sntp server 162.159.200.123 poll 
sntp port 123
!
interface vlan 20
 name SRV 
!
interface vlan 90
 name IOT 
!
interface vlan 99
 name GUEST 
!
interface 1
 ip dhcp snooping trust 
 switchport general allowed vlan add 20,90,99 tagged 
 switchport general allowed vlan add 1 untagged 
 lldp med notifications topology-change enable 
 lldp med enable network-policy
!
interface 2
 lldp med notifications topology-change enable 
 lldp med enable network-policy
!
interface 3
 lldp med notifications topology-change enable 
 lldp med enable network-policy
!
interface 4
 lldp med notifications topology-change enable 
 lldp med enable network-policy
!
interface 5
 dot1x host-mode multi-sessions 
 dot1x reauthentication 
 dot1x authentication 802.1x mac 
 dot1x radius-attributes vlan static 
 authentication open 
 dot1x max-hosts 32 
 dot1x port-control auto 
 ip dhcp snooping trust 
 switchport general allowed vlan add 20,90,99 tagged 
 switchport general allowed vlan add 1 untagged 
 lldp med notifications topology-change enable 
 lldp med enable network-policy
!
interface 6
 lldp med notifications topology-change enable 
 lldp med enable network-policy
!
interface 7
 channel-group 1 mode auto 
 lldp med notifications topology-change enable 
 lldp med enable network-policy
!
interface 8
 channel-group 1 mode auto 
 lldp med notifications topology-change enable 
 lldp med enable network-policy
!
interface 9
 lldp med notifications topology-change enable 
 lldp med enable network-policy
!
interface 10
 lldp med notifications topology-change enable 
 lldp med enable network-policy
!
interface TRK1
 speed 1000 
 description FREENAS
 switchport general allowed vlan add 20,90,99 tagged 
 switchport general allowed vlan add 1 untagged 
!
exit
no ip dhcp snooping verify 
ip dhcp snooping vlan 1 
ip dhcp snooping vlan 20 
ip dhcp snooping vlan 90 
ip dhcp snooping vlan 99 

Switch is running current firmware of 2.7.0

I've seen posts here that this switch doesn't support dynamic vlan, I'm not sure that's true anymore as I said, I got it working once and then it stopped working.

I'm hoping the answer isn't talking to support, when I did they just told me to factory reset the switch and there was no follow-up even though they asked my contact details. Never received an email either.

------------------------------
Chris
------------------------------

Hello Community,

I recently purchased this switch because the manual indicates it supports MAC-based authentication from RADIUS.

I've configured the switch to talk to my RADIUS server on my router and supply the correct vlan-id to the port.

My router is on port#1 and ap is on port#5. Conducting test with port untagged with specific vlan-id works (ie; I untag port #6 with vlan-id 99 and my router hands out the proper IP, so I know the switch works this way. Changing the port untagged vlan-id to any of my vlans results in the same, I get an IP from router in that vlan.)

My intent is vlan1 is management vlan, vlan20,90,99 are specific vlans.

I got it working exactly once and then it stopped working. Even reset switch to factory and re-implemented config, couldn't get it working again.

My config:

config-file-header
TW10KPB1DB
vInstantOn_1930_2.7.0.0 (103) / RHPE1_932_235_006
SKU Description "Aruba Instant On 1930 8G 2SFP Switch JL680A"
@
!
unit-type-control-start 
unit-type unit 1 network gi uplink none 
unit-type-control-end 
!
vlan database
vlan 20,90,99 
exit
voice vlan oui-table add 0001e3 Siemens_AG_phone
voice vlan oui-table add 00036b Cisco_phone
voice vlan oui-table add 00096e Avaya
voice vlan oui-table add 000fe2 3Com
voice vlan oui-table add 0060b9 H3C
voice vlan oui-table add 64167f Polycom
voice vlan oui-table add 805e0c Yealink
port-channel load-balance src-dst-mac
dot1x system-auth-control
ip dhcp relay enable
priority-queue out num-of-queues 0 
hostname TW10KPB1DB
radius-server host 192.168.1.254 key <redacted> priority 1 
logging buffered debugging 
aaa accounting dot1x start-stop group radius
username switchadmin password encrypted <redacted> privilege 15 
snmp-server engineid local default 
clock timezone MST -7
clock summer-time J recurring usa 
clock source sntp
sntp unicast client enable
sntp unicast client poll
sntp server 162.159.200.123 poll 
sntp port 123
!
interface vlan 20
 name SRV 
!
interface vlan 90
 name IOT 
!
interface vlan 99
 name GUEST 
!
interface 1
 ip dhcp snooping trust 
 switchport general allowed vlan add 20,90,99 tagged 
 switchport general allowed vlan add 1 untagged 
 lldp med notifications topology-change enable 
 lldp med enable network-policy
!
interface 2
 lldp med notifications topology-change enable 
 lldp med enable network-policy
!
interface 3
 lldp med notifications topology-change enable 
 lldp med enable network-policy
!
interface 4
 lldp med notifications topology-change enable 
 lldp med enable network-policy
!
interface 5
 dot1x host-mode multi-sessions 
 dot1x reauthentication 
 dot1x authentication 802.1x mac 
 dot1x radius-attributes vlan static 
 authentication open 
 dot1x max-hosts 32 
 dot1x port-control auto 
 ip dhcp snooping trust 
 switchport general allowed vlan add 20,90,99 tagged 
 switchport general allowed vlan add 1 untagged 
 lldp med notifications topology-change enable 
 lldp med enable network-policy
!
interface 6
 lldp med notifications topology-change enable 
 lldp med enable network-policy
!
interface 7
 channel-group 1 mode auto 
 lldp med notifications topology-change enable 
 lldp med enable network-policy
!
interface 8
 channel-group 1 mode auto 
 lldp med notifications topology-change enable 
 lldp med enable network-policy
!
interface 9
 lldp med notifications topology-change enable 
 lldp med enable network-policy
!
interface 10
 lldp med notifications topology-change enable 
 lldp med enable network-policy
!
interface TRK1
 speed 1000 
 description FREENAS
 switchport general allowed vlan add 20,90,99 tagged 
 switchport general allowed vlan add 1 untagged 
!
exit
no ip dhcp snooping verify 
ip dhcp snooping vlan 1 
ip dhcp snooping vlan 20 
ip dhcp snooping vlan 90 
ip dhcp snooping vlan 99 

Switch is running current firmware of 2.7.0

I've seen posts here that this switch doesn't support dynamic vlan, I'm not sure that's true anymore as I said, I got it working once and then it stopped working.

I'm hoping the answer isn't talking to support, when I did they just told me to factory reset the switch and there was no follow-up even though they asked my contact details. Never received an email either.

------------------------------
Chris
------------------------------

Hello Community,

I recently purchased this switch because the manual indicates it supports MAC-based authentication from RADIUS.

I've configured the switch to talk to my RADIUS server on my router and supply the correct vlan-id to the port.

My router is on port#1 and ap is on port#5. Conducting test with port untagged with specific vlan-id works (ie; I untag port #6 with vlan-id 99 and my router hands out the proper IP, so I know the switch works this way. Changing the port untagged vlan-id to any of my vlans results in the same, I get an IP from router in that vlan.)

My intent is vlan1 is management vlan, vlan20,90,99 are specific vlans.

I got it working exactly once and then it stopped working. Even reset switch to factory and re-implemented config, couldn't get it working again.

My config:

config-file-header
TW10KPB1DB
vInstantOn_1930_2.7.0.0 (103) / RHPE1_932_235_006
SKU Description "Aruba Instant On 1930 8G 2SFP Switch JL680A"
@
!
unit-type-control-start 
unit-type unit 1 network gi uplink none 
unit-type-control-end 
!
vlan database
vlan 20,90,99 
exit
voice vlan oui-table add 0001e3 Siemens_AG_phone
voice vlan oui-table add 00036b Cisco_phone
voice vlan oui-table add 00096e Avaya
voice vlan oui-table add 000fe2 3Com
voice vlan oui-table add 0060b9 H3C
voice vlan oui-table add 64167f Polycom
voice vlan oui-table add 805e0c Yealink
port-channel load-balance src-dst-mac
dot1x system-auth-control
ip dhcp relay enable
priority-queue out num-of-queues 0 
hostname TW10KPB1DB
radius-server host 192.168.1.254 key <redacted> priority 1 
logging buffered debugging 
aaa accounting dot1x start-stop group radius
username switchadmin password encrypted <redacted> privilege 15 
snmp-server engineid local default 
clock timezone MST -7
clock summer-time J recurring usa 
clock source sntp
sntp unicast client enable
sntp unicast client poll
sntp server 162.159.200.123 poll 
sntp port 123
!
interface vlan 20
 name SRV 
!
interface vlan 90
 name IOT 
!
interface vlan 99
 name GUEST 
!
interface 1
 ip dhcp snooping trust 
 switchport general allowed vlan add 20,90,99 tagged 
 switchport general allowed vlan add 1 untagged 
 lldp med notifications topology-change enable 
 lldp med enable network-policy
!
interface 2
 lldp med notifications topology-change enable 
 lldp med enable network-policy
!
interface 3
 lldp med notifications topology-change enable 
 lldp med enable network-policy
!
interface 4
 lldp med notifications topology-change enable 
 lldp med enable network-policy
!
interface 5
 dot1x host-mode multi-sessions 
 dot1x reauthentication 
 dot1x authentication 802.1x mac 
 dot1x radius-attributes vlan static 
 authentication open 
 dot1x max-hosts 32 
 dot1x port-control auto 
 ip dhcp snooping trust 
 switchport general allowed vlan add 20,90,99 tagged 
 switchport general allowed vlan add 1 untagged 
 lldp med notifications topology-change enable 
 lldp med enable network-policy
!
interface 6
 lldp med notifications topology-change enable 
 lldp med enable network-policy
!
interface 7
 channel-group 1 mode auto 
 lldp med notifications topology-change enable 
 lldp med enable network-policy
!
interface 8
 channel-group 1 mode auto 
 lldp med notifications topology-change enable 
 lldp med enable network-policy
!
interface 9
 lldp med notifications topology-change enable 
 lldp med enable network-policy
!
interface 10
 lldp med notifications topology-change enable 
 lldp med enable network-policy
!
interface TRK1
 speed 1000 
 description FREENAS
 switchport general allowed vlan add 20,90,99 tagged 
 switchport general allowed vlan add 1 untagged 
!
exit
no ip dhcp snooping verify 
ip dhcp snooping vlan 1 
ip dhcp snooping vlan 20 
ip dhcp snooping vlan 90 
ip dhcp snooping vlan 99 

Switch is running current firmware of 2.7.0

I've seen posts here that this switch doesn't support dynamic vlan, I'm not sure that's true anymore as I said, I got it working once and then it stopped working.

I'm hoping the answer isn't talking to support, when I did they just told me to factory reset the switch and there was no follow-up even though they asked my contact details. Never received an email either.

------------------------------
Chris
------------------------------