topic Re: Dot1x Authentication fail E63018 in IMC

Dot1x Authentication fail E63018

Pingkung — Fri, 08 Apr 2016 11:49:33 GMT

Hi all

first. i'm sory for my english is no good

I configured iMC (7.2) witch UAM and already sync user from ldap server and ldap policy.

when client authentication to switch log of iMC present in picture 1

and this is configured on switch hp 5500

dot1x
dot1x timer handshake-period 30
dot1x authentication-method eap
dot1x domain-delimiter @\
radius scheme accessuser
server-type extended
primary authentication xx.xx.xx.xx key cipher -
primary accounting xx.xx.xx.xx key cipher -
timer response-timeout 5
user-name-format without-domain
nas-ip xx.xx.xx.xx
retry 5
accounting-on enable
domain lab
authentication default radius-scheme mac-authen
authorization default radius-scheme mac-authen
accounting default radius-scheme mac-authen
authentication login radius-scheme mgmt-switch local
authorization login radius-scheme mgmt-switch local
accounting login radius-scheme mgmt-switch local
authentication lan-access radius-scheme accessuser
authorization lan-access radius-scheme accessuser
accounting lan-access radius-scheme accessuser
access-limit disable
state active
idle-cut disable
self-service-url disable
interface GigabitEthernet1/0/1
port link-mode bridge
port link-type trunk
port trunk permit vlan 1 743
port trunk pvid vlan 743
voice vlan 104 enable
poe enable
port-security max-mac-count 3
port-security intrusion-mode disableport-temporarily
undo dot1x handshake
undo dot1x multicast-trigger
dot1x
#

but if i configured ldap derver with add prefix domain/ it can be done. but i want to delimiter domain

thank you and please help

Re: Dot1x Authentication fail E63018

NeilR — Sat, 09 Apr 2016 01:25:15 GMT

OK - first I'm running 7.1 so there may be slight difference.

Sorry but your english is unclear, but I think you want to have login be user@domain.com, correct? Aplogoies if I misunderstand.

Looks like your switch has sent has sent user@domain.com - that is login name

But your LDAP has brought over just user as account name. So you need to remove @domain.com

I don't think your switch config is doing that - even though it looks like you have tried. Check with wireshark packets sent to imc.

To remove @domain.com in imc go to User > User Access Policy > LDAP Service > LDAP Server > your server

for account format use Remove Suffix and delimter @

You can't edit current setup so create new.

Hope I understand correctly and this helps you.

Re: Dot1x Authentication fail E63018

Pingkung — Sun, 10 Apr 2016 16:36:10 GMT

thank you for reply @NeilR

I want to remove @domain.com on my switch before send to imc by use this command

dot1x domain-delimiter @\

but when switch send username to iMC its include @domain.com

so how can i remove @domain.com before sending to iMC

sory for may English is not clear.

Re: Dot1x Authentication fail E63018

NeilR — Mon, 11 Apr 2016 17:06:57 GMT

No worries on english - I understand you wish to remove @domain.com from userid sent from switch to imc

My apologies as I have all my 802.1x users running on Procurve switch not comware. We get full user name.

My comware is limited to server side switches, but looking at documentation I have, I don't see info on dot1x delimiter for my versions

But they do say as pre-requisite to "Configure an ISP domain and AAA scheme (local or RADIUS authentication) for 802.1X users" and I do not see that in your configuration - only for MAC authentication. So you might look at that.

My comment above was on how to remove @domain.com AFTER it got sent to imc.

If you want to remove BEFORE it is sent to imc then the comware configuration is the issue. My comware knowldege is too limited to help you. So Sorry.