HPE Community
Aruba & ProVision-based
1753971 Members
8048 Online
108811 Solutions
New Discussion

HP 2530, 802.1X Window server NPS issues

 
DPS_IT
Advisor

‎08-16-2017 04:07 PM - edited ‎08-16-2017 04:15 PM

‎08-16-2017 04:07 PM - edited ‎08-16-2017 04:15 PM

HP 2530, 802.1X Window server NPS issues

Hi there,

 

I am currently trailing an HP 2530 (YA.16.04.0008) for port security using 802.1X (port access not user). I have two MS 2012R2 servers configured with NPS that uses eap-tls.

The NPS servers are both configured correctly. I can establish an successful connection to either server.

I have configured a GPO that creates a wired policy which allows for smart card aka eap-tls.

I have configured an auth and unauth vlan. Vlans are not being dynamically assigned from the NPS servers.

My end goal is to allow the switch to use a radius group which contains two radius servers for HA and that if both become unavailable to allow connectivity and for the port to check periodically the status of the radius servers.

Radius server A (rada) is listed first in the "Radius Group", radius server b (radb) is second.

Once establishing a connection using port 34 for a laptop device, If i do not allow access to Rada although still allowing access to radb the switch does not check against radb. If i make rada available then it reconnects. If i remove rada from the group so that radb is the only radius server in the group it can connect fine.

Secondly if only a single radius server is in the group and the radius server is unavailable. When reauth is attempted it checks once (max requests) during the timeout period below (server timeout) if this fails then from what i understand it invokes the quiet period. (i guess you just need to make sure your quiet period is less than the reauth period)

Now during the first time the reauth is invoked (port is placed in unauth vlan, no connectivity) and it still notes that the radius server is down it fails over to authorized and allows connectivity. On the next reauth period where it still notices that the radius server is down it does not allow any further connectivity.

From this point to allow for connectivity I need to enable the radius server again and disable/enable port or phyiscally unpatch the network cable from the device (laptop) and patch it back in for the connection to come back up.

What is going on? I need to allow for both radius servers apart of a radius group to be used and to allow for if both radius servers are down for longer than two reauths that the secondary authourized will be used to allow for connectivity.

To note the radius server timeout values are default (5 sec timout, 3 attempts)

The unauth period of 120 is purely for testing sake.

The authenticator timeout and max retries i have changed from 30secs and 2 to reduce the window of no connectivity from when a radius server in unavailable.

aaa server-group radius "Radius group" host xxx.xxx.xxx.xxx (aka rada)
aaa server-group radius "Radius group" host xxx.xxx.xxx.xxx (aka radb)

aaa authentication port-access eap-radius server-group "Radius Group" authorized

aaa port-access authenticator 34
aaa port-access authenticator 34 server-timeout 20
aaa port-access authenticator 34 max-requests 1
aaa port-access authenticator 34 reauth-period 120
aaa port-access authenticator 34 auth-vid 300
aaa port-access authenticator 34 unauth-vid 999
aaa port-access authenticator active

 

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.