topic Re: 802.1x authentication issue on HP 5412 switch in Switches, Hubs, and Modems

802.1x authentication issue on HP 5412 switch

FiluFreeman — Wed, 03 Mar 2010 18:16:29 GMT

Hi,

I have a switch HP 5412zl. I have a NAP w2k8 r2 server. I have a wired w7 wks. I have HP Procurve with IDM 3.

I used

http://www.microsoft.com/downloads/details.aspx?FamilyID=8a0925ee-ee06-4dfb-bba2-07605eff0608&displaylang=en

http://h40060.www4.hp.com/procurve/uk/en/pdfs/application-notes/AN-S5_ProCurve-IDM-NAP-integration-final-081108.pdf

and I can't see any auth conversation, nothing gets to the NAP/Radius, I used Net Monitor 3.3 to see what's going on. And as far as I can see my configurations are right, see the HP switch config attached

Anyways, I don't know...

Thanks!!

Re: 802.1x authentication issue on HP 5412 switch

Jeff Carrell — Wed, 03 Mar 2010 23:12:59 GMT

hmmm...

As I see it, your switch config looks ok.

You say no authentication requests seem to be coming from the switch to the server, so that really indicates either switch config, switch can't talk to the server, or client config.

A good resource for client configs is here: http://tinyurl.com/8021X-supplicant-1

If the client config is good and the switch can ping the server, then something has to be happening (I read that somewhere ;-)

So, if all above looks good, then try the following:

1) If the IDM agent is "started" on the W2K8/NAP server, shut that service down and troubleshoot this problem one step at a time.

2) Look at the "radius log" to see if radius (NAP) is even trying to authenticate the client request and/or what (if any) errors it is generating?

On the W2K8 server, look at:
event viewer/custom views/server roles/network policy and access services and see if any switch-to-NAP (radius) transactions are occurring.

Most common radius (NAP)/AD issues are (after basic switch-to-radius comms work):
1) switch is not defined as a radius client
2) NAP policy, either "connection request policies" and/or "network policies" are not configured correctly, meaning a failure to pass a test
3) AD uid/pw/group membership issue

If you resolve any issues that are in radius/AD, then restart the IDM Agent service and then see what the radius log info indicates, as well as what the IDM log indicates.

Troubleshooting IDM can get really tricky and especially more so if you have a fundamental radius problem before IDM can even do its testing.

hth...Jeff

Re: 802.1x authentication issue on HP 5412 switch

FiluFreeman — Thu, 04 Mar 2010 02:07:40 GMT

that's my problem, I can't see any logs anywhere, and I really know where to look ;). So NAP events = 0. HP switch events = 0. IDM events = 0. Netmonitor shows nothing EAP related. so this is why I'm really lost. I already took IDM out of the picture, to see switch-NAP conversation. and nothing. and I swear I put the correct RADIUS clients. and passwords. I'm completely lost, I really don't know where to start to troubleshoot. 1 question though: in this authentication conversation, who initiates it first? which device sends the FIRST request? The switch? The wks? The NAP server?

Thanks!

Re: 802.1x authentication issue on HP 5412 switch

Jeff Carrell — Thu, 04 Mar 2010 14:26:23 GMT

FiluFreeman said: 1 question though: in this authentication conversation, who initiates it first? which device sends the FIRST request? The switch? The wks? The NAP server?

Jeff reply: when a switch port is configured for 802.1X auth, and then a device (computer in this case) is connected, the switch basically sends an "EAP Identity Request" packet to the device, if the device is configured correctly, then it will send an "EAP Identity Response", then the switch will repackage that info and send to radius a "RADIUS Access Reuqest".

These comms between the client and switch are all at layer2, as there is no IP address available yet. This is what EAP provides, layer2 comms.

So, it looks to me like the issue is with the client-to-switch initial comms.

hth...Jeff

Re: 802.1x authentication issue on HP 5412 switch

FiluFreeman — Thu, 04 Mar 2010 16:45:50 GMT

after some more investigation I found some interesting EAP conversation

source my workstations MAC - destination 01-80-c2-00-00-03

source my switch MAC - destination 01-80-c2-00-00-03

That's all I found. What is this? I have no idea where to start to troubleshoot. I mean I googled the MAC address 01-80-c2-00-00-03 and I found out it's a standard of some sort, but how do I make it work?

This is all so exciting, but it shows that I don't really know too much about networking...

Re: 802.1x authentication issue on HP 5412 switch

FiluFreeman — Thu, 04 Mar 2010 16:50:17 GMT

Also, please take a look at the attachment. Thank you!!

Re: 802.1x authentication issue on HP 5412 switch

Jeff Carrell — Thu, 04 Mar 2010 17:42:01 GMT

The switch is sending, it looks as if the client side is not properly replying.

So I'd say it looks like client is not properly configured for 802.1X.

The full trace and the mac addresses of switch and client would help alot in troubleshooting this issue.