- Community Home
- >
- Networking
- >
- Switching and Routing
- >
- Aruba & ProVision-based
- >
- HP 2530, 802.1X Window server NPS issues
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-16-2017 04:07 PM - edited 08-16-2017 04:15 PM
08-16-2017 04:07 PM - edited 08-16-2017 04:15 PM
HP 2530, 802.1X Window server NPS issues
Hi there,
I am currently trailing an HP 2530 (YA.16.04.0008) for port security using 802.1X (port access not user). I have two MS 2012R2 servers configured with NPS that uses eap-tls.
The NPS servers are both configured correctly. I can establish an successful connection to either server.
I have configured a GPO that creates a wired policy which allows for smart card aka eap-tls.
I have configured an auth and unauth vlan. Vlans are not being dynamically assigned from the NPS servers.
My end goal is to allow the switch to use a radius group which contains two radius servers for HA and that if both become unavailable to allow connectivity and for the port to check periodically the status of the radius servers.
Radius server A (rada) is listed first in the "Radius Group", radius server b (radb) is second.
Once establishing a connection using port 34 for a laptop device, If i do not allow access to Rada although still allowing access to radb the switch does not check against radb. If i make rada available then it reconnects. If i remove rada from the group so that radb is the only radius server in the group it can connect fine.
Secondly if only a single radius server is in the group and the radius server is unavailable. When reauth is attempted it checks once (max requests) during the timeout period below (server timeout) if this fails then from what i understand it invokes the quiet period. (i guess you just need to make sure your quiet period is less than the reauth period)
Now during the first time the reauth is invoked (port is placed in unauth vlan, no connectivity) and it still notes that the radius server is down it fails over to authorized and allows connectivity. On the next reauth period where it still notices that the radius server is down it does not allow any further connectivity.
From this point to allow for connectivity I need to enable the radius server again and disable/enable port or phyiscally unpatch the network cable from the device (laptop) and patch it back in for the connection to come back up.
What is going on? I need to allow for both radius servers apart of a radius group to be used and to allow for if both radius servers are down for longer than two reauths that the secondary authourized will be used to allow for connectivity.
To note the radius server timeout values are default (5 sec timout, 3 attempts)
The unauth period of 120 is purely for testing sake.
The authenticator timeout and max retries i have changed from 30secs and 2 to reduce the window of no connectivity from when a radius server in unavailable.
aaa server-group radius "Radius group" host xxx.xxx.xxx.xxx (aka rada)
aaa server-group radius "Radius group" host xxx.xxx.xxx.xxx (aka radb)
aaa authentication port-access eap-radius server-group "Radius Group" authorized
aaa port-access authenticator 34
aaa port-access authenticator 34 server-timeout 20
aaa port-access authenticator 34 max-requests 1
aaa port-access authenticator 34 reauth-period 120
aaa port-access authenticator 34 auth-vid 300
aaa port-access authenticator 34 unauth-vid 999
aaa port-access authenticator active