Aruba & ProVision-based
1748180 Members
3761 Online
108759 Solutions
New Discussion юеВ

Re: client-limit on 802.1x authentication - how many

 
SOLVED
Go to solution
_Bernhard_
Visitor

client-limit on 802.1x authentication - how many

Hi,

I'm using an 2910al-24G-PoE J9146A and want to do 802.1X and MAC user-based authentication.
Software revision  : W.15.14.0013
ROM Version        : W.14.06

In the manual "Access Securitiy Guide for W.15.14", applicable for Products:
HP Switch 2910al-series: J9145A, J9147A, J9146A, J9148A
I find the configuration line:
aaa port-access authenticator <port-list> client-limit <1-32>

But when I try on the switch it just shows:
switch# aaa port-access authenticator 1-22 client-limit
 <1-8>                 Set the maximum number of clients to allow on the port.

Why can't I authenticate up to 32 clients as promised in the manual or at this homepage http://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c02597321 ?

Best regards,
Bernhard voit

 

4 REPLIES 4
parnassus
Honored Contributor

Re: client-limit on 802.1x authentication - how many

Hi, in case you want to use the User-based authentication...have you tried to first enable the port based authentication with the command:

aaa port-access authenticator <port-list>

and only then to enable the User-based authentication with the the same command plus the client-limit part:

aaa port-access authenticator <port-list> client-limit <1-32>

The above command is used - after executing the very first aaa port-access authenticator <port-list> command - to convert the authentication from Port-based to User-based.

Reference here.

Doing things that way...is the limit still 8 instead of 32?


I'm not an HPE Employee
Kudos and Accepted Solution banner
_Bernhard_
Visitor

Re: client-limit on 802.1x authentication - how many

Hi parnassus,
here ist the actual config (relevant parts):

; J9146A Configuration Editor; Created on release #W.15.14.0013
; Ver #06:04.18.63.ff.35.05:b6
module 1 type j9146a
dhcp-snooping
dhcp-snooping database file "tftp://z.z.z.z/somefile.dhcp" timeout 60
dhcp-snooping vlan 104
radius-server host x.x.x.x key "xxxx"
radius-server timeout 2
radius-server dead-time 5
ip default-gateway x.x.x.x
interface 23
   dhcp-snooping trust
   exit
interface 24
   dhcp-snooping trust
   exit
aaa server-group radius "extreme_nac" host x.x.x.x
aaa accounting network start-stop radius server-group "extreme_nac"
aaa authentication port-access eap-radius server-group "extreme_nac"
aaa authentication mac-based chap-radius server-group "extreme_nac"
aaa port-access authenticator 1-22
aaa port-access authenticator active
vlan 1
   name "DEFAULT_VLAN"
   no untagged 1-22
   untagged 23-24
   no ip address
   exit
vlan 104
   name "TestNAC"
   untagged 1-22
   tagged 23-24
   ip address y.y.y.y 255.255.255.0
   ip igmp
   exit
primary-vlan 104
no autorun

switchname(config)# aaa port-access authenticator 1-22 client-limit
 <1-8>                 Set the maximum number of clients to allow on the port.

As you see, even when no client-limit is configured, I only have the opportunity to chose from 1-8.
I use the same manual you reference to. What I also recognised - i cant' issue the command "show port-access summary":

switchname(config)# show port-access
 [ethernet] PORT-LIST  Show Web/MAC Authentication statistics and configuration.
 authenticator         Show 802.1X (Port Based Network Access) authenticator current status, configuration or
                       last session counters.
 config                Show status of 802.1X, Web Auth, and MAC Auth configurations.
 local-mac             Show Local MAC Authentication statistics and configuration.
 mac-based             Show MAC Authentication statistics and configuration.
 supplicant            Show 802.1X (Port Based Network Access) supplicant current status and configuration.
 web-based             Show Web Authentication statistics and configuration.

Has anyone the same issues? Does anyone also use procurve 2910al PoE with 802.1x?
How many clients can you choose when trying the command

aaa port-access authenticator <port> client-limit ?

Thanks

_Bernhard_
Visitor
Solution

Re: client-limit on 802.1x authentication - how many

OK guys, I found the answer:
This Document shows, that only up to eight 802.1x users per port can be served:
http://www.hp.com/rnd/pdfs/datasheets/HP_ProCurve_2910al_Switch_Series.pdf

So all configuration documentation on HP for this switch is incorrect. I just got an 2920 and look at this - here we have the 32 users per port and the "show port-access summary" command works also.

parnassus
Honored Contributor

Re: client-limit on 802.1x authentication - how many

Good catch, the HPE Documentation Feedback is here.


I'm not an HPE Employee
Kudos and Accepted Solution banner