Comware Based
cancel
Showing results for 
Search instead for 
Did you mean: 

802.1x Client Authentication Error JG236A HP A5120-24G

SOLVED
Go to solution
amatsuyama
Occasional Visitor

802.1x Client Authentication Error JG236A HP A5120-24G

Hi,

We have the following scenario.

- Switch A5120-24G  Version 5.20.99, Release 2222P08

- Microsoft NPS (Network Policy Server) as authentication server

- IP phones (using MAB authentication) and desktops attached to the ip phones

We have a specifics VLANs for authenticated users and GUEST VLAN. 

I need help deploying 802.1x client authentication. All the switch and Microsoft NPS configurations seem okay. The user attempt to logon and succeed, but few seconds after the successful authentication the desktop is retrying to authenticate. Switch and NPS logs shows that user was granted access, but the desktop does not stay in authenticated state.

Have you ever seen something like that?

See below the switch configuration

 

domain default enable mydomain.com
#
dot1x
dot1x quiet-period
dot1x timer quiet-period 10
dot1x timer tx-period 10
dot1x timer supp-timeout 10
dot1x retry 1
dot1x timer reauth-period 7200
dot1x authentication-method eap

mac-authentication
#
vlan 1
#
vlan 100
name AUTHENTICATED_USER
#
vlan 180
name MANAGEMENT
#
vlan 110
name GUEST_AND_FAIL
#
vlan 200
name VOIP

#
radius scheme TEST
primary authentication X.X.X.X
primary accounting X.X.X.X
key authentication cipher MYPASS
key accounting cipher MYPASS
user-name-format without-domain
#
domain mydomain.com
authentication lan-access radius-scheme TEST local
authorization lan-access radius-scheme TEST local
access-limit disable
state active
idle-cut disable
self-service-url disable
domain system
access-limit disable
state block
idle-cut disable
self-service-url disable
#
user-group system
group-attribute allow-guest


#
interface GigabitEthernet1/0/6
description *** TEST 802.1X IP-PHONE + PC ***
port link-type hybrid
undo port hybrid vlan 1
port hybrid vlan 200 tagged
port hybrid vlan 100 untagged
port hybrid pvid vlan 100
poe enable
stp edged-port enable
lldp voice-vlan 200
dot1x guest-vlan 110
dot1x auth-fail vlan 110
dot1x voice vlan 200
dot1x port-method portbased
dot1x
#

*** I had to use portbased instead of mac-based even having PC + IP Phone. Using mac-based port-method (that is recommended for more than one device on the port) does not workout for me. Just the IP Phone could access the network.

 

 

Log from NPS

 

Network Policy Server granted access to a user.

User:
Security ID: TI\test.user
Account Name: test.user
Account Domain: TI
Fully Qualified Account Name: TI\test.user

Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
Called Station Identifier: -
Calling Station Identifier: 6C-0B-84-DB-04-0D

NAS:
NAS IPv4 Address: x.x.x.x
NAS IPv6 Address: -
NAS Identifier: HP
NAS Port-Type: Ethernet
NAS Port: 16801882

RADIUS Client:
Client Friendly Name: H3C
Client IP Address: x.x.x.x

Authentication Details:
Connection Request Policy Name: Secure Wired (Ethernet) Connections
Network Policy Name: Secure Wired (Ethernet) Connections
Authentication Provider: Windows
Authentication Server: test.ti.local
Authentication Type: PEAP
EAP Type: Microsoft: Secured password (EAP-MSCHAP v2)
Account Session Identifier: 31313830323239313333303133303130
Logging Results: Accounting information was written to the local log file.

This time when debugging dot1x it is not showing authentication logs 

Thanks

1 REPLY
SantoshPG
Valued Contributor
Solution

Re: 802.1x Client Authentication Error JG236A HP A5120-24G

Can u try with undo dotx handshake command under the interface 1/0/6.
Thank you,
I am an HPE employee
-------------------------------------------------------------------------
Was the post useful? Click on Kudos Thumb below