topic 802.1x configuration - cannot authenticate to Microsoft NPS in Security e-Series https://community.hpe.com/t5/security-e-series/802-1x-configuration-cannot-authenticate-to-microsoft-nps/m-p/6907078#M677 <P>Setting up initial dot1x configuration on HP 5500 HI - Comware vers 5.20.99</P><P>Problem is that cannot get user PC to authenticate using EAP to Microsoft NPS.&nbsp; I do&nbsp;NOT see EAPoL or Radius packets hitting the NPS from the switch.&nbsp; I can SSH to the switch using radius authentication, so I know the radius config on the switch is working.</P><P>Error in switch log: 8021X/6/DOT1X_AUTH_FAILURE:</P><P>Port config<BR />&nbsp;port link-mode bridge<BR />&nbsp;port access vlan 144<BR />&nbsp;undo voice vlan mode auto<BR />&nbsp;broadcast-suppression pps 3000<BR />&nbsp;undo jumboframe enable<BR />&nbsp;lldp compliance admin-status cdp txrx<BR />&nbsp;qos trust dot1p<BR />&nbsp;undo dot1x handshake<BR />&nbsp;dot1x mandatory-domain tos.x.x.x.x<BR />&nbsp;dot1x port-method portbased<BR />&nbsp;dot1x<BR />&nbsp;dot1x eapol untag</P><P>&nbsp;</P><P>Port dot1x config</P><P>Equipment 802.1X protocol is enabled<BR />&nbsp;EAP authentication is enabled<BR />&nbsp;EAD quick deploy is disabled</P><P>&nbsp;Configuration: Transmit Period&nbsp;&nbsp; 30 s,&nbsp; Handshake Period&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 15 s<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Quiet Period&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 60 s,&nbsp; Quiet Period Timer is disabled<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Supp Timeout&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 30 s,&nbsp; Server Timeout&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 100 s<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Reauth Period&nbsp;&nbsp; 3600 s<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; The maximal retransmitting times&nbsp;&nbsp;&nbsp; 2<BR />&nbsp;EAD quick deploy configuration:<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; EAD timeout:&nbsp;&nbsp; 30 m</P><P>&nbsp;The maximum 802.1X user resource number is 2048 per slot<BR />&nbsp;Total current used 802.1X resource number is 0</P><P>&nbsp;GigabitEthernet1/0/19&nbsp; is link-up<BR />&nbsp;&nbsp; 802.1X protocol is enabled<BR />&nbsp;&nbsp; Handshake is disabled<BR />&nbsp;&nbsp; Handshake secure is disabled<BR />&nbsp;&nbsp; 802.1X unicast-trigger is disabled<BR />&nbsp;&nbsp; 802.1X user-ip freeze is disabled<BR />&nbsp;&nbsp; Periodic reauthentication is disabled<BR />&nbsp;&nbsp; The port is an authenticator<BR />&nbsp;&nbsp; Authentication Mode is Auto<BR />&nbsp;&nbsp; Port Control Type is Port-based<BR />&nbsp;&nbsp; 802.1X Multicast-trigger is enabled<BR />&nbsp;&nbsp; Mandatory authentication domain: tosx.x.x.x<BR />&nbsp;&nbsp; Guest VLAN: NOT configured<BR />&nbsp;&nbsp; Auth-Fail VLAN: NOT configured<BR />&nbsp;&nbsp; Critical VLAN: NOT configured<BR />&nbsp;&nbsp; Critical recovery-action: NOT configured<BR />&nbsp;&nbsp; Voice VLAN: NOT configured</P><P>Global dot1x config</P><P>Equipment 802.1X protocol is enabled<BR />&nbsp;EAP authentication is enabled</P><P>&nbsp;</P><P>I would like someone to verify my switch configuration and let me know if there a problem with it.&nbsp; Also any troubleshooting steps I can take to help isolate the problem.&nbsp; Thanks</P><P>&nbsp;</P> Wed, 12 Oct 2016 19:29:11 GMT T-squared 2016-10-12T19:29:11Z 802.1x configuration - cannot authenticate to Microsoft NPS https://community.hpe.com/t5/security-e-series/802-1x-configuration-cannot-authenticate-to-microsoft-nps/m-p/6907078#M677 <P>Setting up initial dot1x configuration on HP 5500 HI - Comware vers 5.20.99</P><P>Problem is that cannot get user PC to authenticate using EAP to Microsoft NPS.&nbsp; I do&nbsp;NOT see EAPoL or Radius packets hitting the NPS from the switch.&nbsp; I can SSH to the switch using radius authentication, so I know the radius config on the switch is working.</P><P>Error in switch log: 8021X/6/DOT1X_AUTH_FAILURE:</P><P>Port config<BR />&nbsp;port link-mode bridge<BR />&nbsp;port access vlan 144<BR />&nbsp;undo voice vlan mode auto<BR />&nbsp;broadcast-suppression pps 3000<BR />&nbsp;undo jumboframe enable<BR />&nbsp;lldp compliance admin-status cdp txrx<BR />&nbsp;qos trust dot1p<BR />&nbsp;undo dot1x handshake<BR />&nbsp;dot1x mandatory-domain tos.x.x.x.x<BR />&nbsp;dot1x port-method portbased<BR />&nbsp;dot1x<BR />&nbsp;dot1x eapol untag</P><P>&nbsp;</P><P>Port dot1x config</P><P>Equipment 802.1X protocol is enabled<BR />&nbsp;EAP authentication is enabled<BR />&nbsp;EAD quick deploy is disabled</P><P>&nbsp;Configuration: Transmit Period&nbsp;&nbsp; 30 s,&nbsp; Handshake Period&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 15 s<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Quiet Period&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 60 s,&nbsp; Quiet Period Timer is disabled<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Supp Timeout&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 30 s,&nbsp; Server Timeout&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 100 s<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Reauth Period&nbsp;&nbsp; 3600 s<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; The maximal retransmitting times&nbsp;&nbsp;&nbsp; 2<BR />&nbsp;EAD quick deploy configuration:<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; EAD timeout:&nbsp;&nbsp; 30 m</P><P>&nbsp;The maximum 802.1X user resource number is 2048 per slot<BR />&nbsp;Total current used 802.1X resource number is 0</P><P>&nbsp;GigabitEthernet1/0/19&nbsp; is link-up<BR />&nbsp;&nbsp; 802.1X protocol is enabled<BR />&nbsp;&nbsp; Handshake is disabled<BR />&nbsp;&nbsp; Handshake secure is disabled<BR />&nbsp;&nbsp; 802.1X unicast-trigger is disabled<BR />&nbsp;&nbsp; 802.1X user-ip freeze is disabled<BR />&nbsp;&nbsp; Periodic reauthentication is disabled<BR />&nbsp;&nbsp; The port is an authenticator<BR />&nbsp;&nbsp; Authentication Mode is Auto<BR />&nbsp;&nbsp; Port Control Type is Port-based<BR />&nbsp;&nbsp; 802.1X Multicast-trigger is enabled<BR />&nbsp;&nbsp; Mandatory authentication domain: tosx.x.x.x<BR />&nbsp;&nbsp; Guest VLAN: NOT configured<BR />&nbsp;&nbsp; Auth-Fail VLAN: NOT configured<BR />&nbsp;&nbsp; Critical VLAN: NOT configured<BR />&nbsp;&nbsp; Critical recovery-action: NOT configured<BR />&nbsp;&nbsp; Voice VLAN: NOT configured</P><P>Global dot1x config</P><P>Equipment 802.1X protocol is enabled<BR />&nbsp;EAP authentication is enabled</P><P>&nbsp;</P><P>I would like someone to verify my switch configuration and let me know if there a problem with it.&nbsp; Also any troubleshooting steps I can take to help isolate the problem.&nbsp; Thanks</P><P>&nbsp;</P> Wed, 12 Oct 2016 19:29:11 GMT https://community.hpe.com/t5/security-e-series/802-1x-configuration-cannot-authenticate-to-microsoft-nps/m-p/6907078#M677 T-squared 2016-10-12T19:29:11Z