topic ProCurve 2910al -- can't set port-access credentials in Switches, Hubs, and Modems

ProCurve 2910al -- can't set port-access credentials

Thomas Wunder — Wed, 04 Aug 2010 13:00:42 GMT

Hi,
I've got a new ProCurve 2910al-48G here and I'm currently playing around a bit with its AAA (802.1X) features.

In the 'Access Security Guide' (which I got from
http://cdn.procurve.com/training/Manuals/2910-ASG-Feb09-W_14_03.pdf ) it says that I can -- and I should -- set a port-access username and password pair by doing somthing like that:

swtswitch01(config)# password port-access user-name tom password123
Invalid input: port-access
swtswitch01(config)#

But as you can see the switch replies "Invalid input". Looking a bit closer at the 'password' command I can see that 'operator', 'manager', 'all' are allowed for the first argument but not port-access as is described in the manual.

I suspect I'm missing something but I can't find out what it is...

Might this feature have been removed in the current Firmware-Release (I'm just trying to do local auth first for the sake of simplicity before setting it all up using FreeRADIUS)?
From 'show flash' I get
Primary Image : 8482560 11/05/09 W.14.38
Secondary Image : 8482560 11/05/09 W.14.38
Boot Rom Version: W.14.04

Any ideas?
Thanks in advance!
Tom

Re: ProCurve 2910al -- can't set port-access credentials

Thomas Wunder — Wed, 04 Aug 2010 13:46:28 GMT

I guess I should mention that the example command was on page 455+456 (12-16/12-17)

Re: ProCurve 2910al -- can't set port-access credentials

Tore Valberg — Wed, 04 Aug 2010 13:59:28 GMT

Hi Thomas

I am not exactly sure what you want to achieve, but if you want to set up 802.1x for clients connecting to the switch you will need a radius server.

The switch doesn't have any internal radius.

You might be confusing with the Port supplicant feature. Basically this is to configure a switch port with credentials to authenticate to another switch.
So basically a switch authenticating against another switch.

For standard 802.1x port authenticator, following the configuration guide from page 459 in the PDF you are lining too.

But i am afraid you will need a radius server to test 802.1x

Tore

Re: ProCurve 2910al -- can't set port-access credentials

Tore Valberg — Wed, 04 Aug 2010 14:05:41 GMT

Hi Again

I can see the commands you are referring to in the manual.

It looks like the manual is a bit outdated indeed.

Tore

Re: ProCurve 2910al -- can't set port-access credentials

Thomas Wunder — Thu, 05 Aug 2010 10:54:06 GMT

Hi Tore,
first of all thanks for your quick answer!

There's still a thing I don't really understand. On page 12-26 it says:

# aaa authentication port-access

Configures local, chap-radius (MD5), or eap-radius as the primary password authentication method for port-access.

And indeed the 'aaa authentication port-access local' works. (Also the switch gives me amongst other options
' local Use local switch user/password database.' amongst other options when i do
'aaa authentication port-access ?'

So why can I configure the switch to use the local user/password database for 802.1X authentication while it is impossible to set a username password to be used? That's a bit strange isn't it? Did developers simply forget to remove that option or does it simply use the operator/manager user for 802.1X authentication? If the latter one is the case which are the usernames that should be used by a supplicant (I've already tried 'operator' and 'manager' with the according passwords but that didn't work out)?

By the way is there an example configuration for the wpa_supplicant (from the Open1X project) to be used with the ProCurve switch for 802.1X auth? (I simply adapted the sample config from https://help.ubuntu.com/community/Network802.1xAuthentication )

Re: ProCurve 2910al -- can't set port-access credentials

Tore Valberg — Mon, 16 Aug 2010 09:35:12 GMT

Hi Thomas

Sorry for the late reply.

That is indeed a good point, i can also add the command but cant make use of it.

It has been removed from teh latest documentation, but the command is still there.

Looks like they forgot to remove it. Operator Manager login will not work.

You might want to call HP regarding the command.

Regarding the example configuration, on the switch you simply need to enable 802.1x. Rest is done on the radius.

ProVision(config)# aaa authentication port-access eap-radius
ProVision(config)# radius-server host 10.0.100.111 key password
ProVision(config)# aaa port-access authenticator 13,17-18
ProVision(config)# aaa port-access authenticator active

Alternatively you can set client limit and unauth and authorized vlans:

ProVision(config)# aaa port-access authenticator 17-18 client-limit 3
ProVision(config)# aaa port-access authenticator 13,17-18 unauth-vid 99
ProVision(config)# aaa port-access authenticator 13,17-18 auth-vid 10

Hope this helps