Comware Based
Showing results for 
Search instead for 
Did you mean: 

802.1x Client Authentication Error JG236A HP A5120-24G

Go to solution
Occasional Visitor

802.1x Client Authentication Error JG236A HP A5120-24G


We have the following scenario.

- Switch A5120-24G  Version 5.20.99, Release 2222P08

- Microsoft NPS (Network Policy Server) as authentication server

- IP phones (using MAB authentication) and desktops attached to the ip phones

We have a specifics VLANs for authenticated users and GUEST VLAN. 

I need help deploying 802.1x client authentication. All the switch and Microsoft NPS configurations seem okay. The user attempt to logon and succeed, but few seconds after the successful authentication the desktop is retrying to authenticate. Switch and NPS logs shows that user was granted access, but the desktop does not stay in authenticated state.

Have you ever seen something like that?

See below the switch configuration


domain default enable
dot1x quiet-period
dot1x timer quiet-period 10
dot1x timer tx-period 10
dot1x timer supp-timeout 10
dot1x retry 1
dot1x timer reauth-period 7200
dot1x authentication-method eap

vlan 1
vlan 100
vlan 180
vlan 110
vlan 200
name VOIP

radius scheme TEST
primary authentication X.X.X.X
primary accounting X.X.X.X
key authentication cipher MYPASS
key accounting cipher MYPASS
user-name-format without-domain
authentication lan-access radius-scheme TEST local
authorization lan-access radius-scheme TEST local
access-limit disable
state active
idle-cut disable
self-service-url disable
domain system
access-limit disable
state block
idle-cut disable
self-service-url disable
user-group system
group-attribute allow-guest

interface GigabitEthernet1/0/6
description *** TEST 802.1X IP-PHONE + PC ***
port link-type hybrid
undo port hybrid vlan 1
port hybrid vlan 200 tagged
port hybrid vlan 100 untagged
port hybrid pvid vlan 100
poe enable
stp edged-port enable
lldp voice-vlan 200
dot1x guest-vlan 110
dot1x auth-fail vlan 110
dot1x voice vlan 200
dot1x port-method portbased

*** I had to use portbased instead of mac-based even having PC + IP Phone. Using mac-based port-method (that is recommended for more than one device on the port) does not workout for me. Just the IP Phone could access the network.



Log from NPS


Network Policy Server granted access to a user.

Security ID: TI\test.user
Account Name: test.user
Account Domain: TI
Fully Qualified Account Name: TI\test.user

Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
Called Station Identifier: -
Calling Station Identifier: 6C-0B-84-DB-04-0D

NAS IPv4 Address: x.x.x.x
NAS IPv6 Address: -
NAS Identifier: HP
NAS Port-Type: Ethernet
NAS Port: 16801882

RADIUS Client:
Client Friendly Name: H3C
Client IP Address: x.x.x.x

Authentication Details:
Connection Request Policy Name: Secure Wired (Ethernet) Connections
Network Policy Name: Secure Wired (Ethernet) Connections
Authentication Provider: Windows
Authentication Server: test.ti.local
Authentication Type: PEAP
EAP Type: Microsoft: Secured password (EAP-MSCHAP v2)
Account Session Identifier: 31313830323239313333303133303130
Logging Results: Accounting information was written to the local log file.

This time when debugging dot1x it is not showing authentication logs 



Re: 802.1x Client Authentication Error JG236A HP A5120-24G

Can u try with undo dotx handshake command under the interface 1/0/6.
Thank you,
I am an HPE employee
Was the post useful? Click on Kudos Thumb below