Aruba & ProVision-based
cancel
Showing results for 
Search instead for 
Did you mean: 

802.1x PEAP/TLS with fallback to MAC based Auth if first auth fails

 
Georg Schwarz
Occasional Contributor

802.1x PEAP/TLS with fallback to MAC based Auth if first auth fails

Inclined readers,


Maybe I was just too stupid to find the correct document that describes the desired solution, so please don't flame me if it is obvious. However I found contradictionary results when googling, so I thought it to be the best idea to bring my issue to the community...


Our customer's requirements are:
•They want to use 802.1x authentication using PEAP/TLS on all Edge-Ethernet ports where possible
•For devices not supporting PEAP/TLS there should be an automatic fallback to MAC authentication also handled by the RADIUS server, so that there is no need to reconfigure the port if you connect a known 802.1x incapable device..


The environment consists of
1. Several 5406zl
2. Several 5406Rzl
3. A few 2920s
4. A few 2910s

THe document that contained the most information for me is
ftp://ftp.hp.com/pub/networking/software/2900yl-ASG-0207-T_12_XX-9-8021X.pdf

Quote:
Port-Based 802.1X can operate concurrently with Web-Authentication or
MAC-Authentication on the same port. However, this is not a commonly used
application and is not generally recommended.

In fact I don't want them to operate concurrently but only if EAP fails.

My questions are:

Is there any best practice way to do that on HP?
I have configured similar environments with switches from another vendor (by far not as prestigious as HP), so I think it'll not be impossible

If yes, could you point out the main steps? (I do not expect you guys to put together all the commands, just a very rough outline how to do it would be very nice)

If someone's got such a setup running, what is your experience with daily operations?

Thanks in advance for any piece of advice!

Greetings from Austria,
George

1 REPLY 1
DFabryr
Regular Visitor

Re: 802.1x PEAP/TLS with fallback to MAC based Auth if first auth fails

Greetings George.

For me the best way to do 802.1x is based in MS-AD with NPS/NAP and Protectected EAP (PEAP) because you have all the user database in one place, you only need one certificate at the server side and at the network edge you just need switches that meet the open standards such as the HP ones either Commware or Provision based (I worked both with excellent results).

Attached you will find an example configuration file, it is a bit old Provision version but it worked fine.

Be sure to have your NPS/NAP services replicated in more than one server. If you want to do autovlan/QoS remember that you MUST work with MS-AD groups, not OU (even one do not interfere with the other)

Hope to helped you to find your way

Have a great New Year's Eve