Comware Based

Re: Authenticate users with 802.1x using Radius NPS Server COMWARE 5

 
JCDINIZ1
Occasional Collector

Authenticate users with 802.1x using Radius NPS Server COMWARE 5

Authenticate users with 802.1x using Radius NPS Server

I am trying to authenticate network users through 802.1x with the RADIUS NPS server (Microsoft). Using the HPE 1920 Coware5 Switch.

Here are the configurations I made:


radius scheme poc
server-type extended
primary authentication 10.10.10.36 key cipher $ c $ 3 $ H8Kj1Wq6vOPbeP2 + TtyGJfp4ZepkRhjm7O8qIXxiRFZ4
primary accounting 10.10.10.36 key cipher $ c $ 3 $ kGzN8Hs + xsGVZL1cVUzso4BHi5LJnZkZePxU7z1mLspW
key authentication cipher $ c $ 3 $ EQ / Uyt6JI1DmQOA6H2tIIkhxXA0iKTiTvJDYoraGqmz9
key accounting cipher $ c $ 3 $ uEU9hsmFqhI + 1eXLXPcWSst5uaTqSbbRY7tdv3IK00s2
user-name-format without-domain
nas-ip 10.10.10.1


domain poc
authentication login radius-scheme poc local
authorization login radius-scheme poc local
accounting login radius-scheme local poc
authentication lan-access radius-scheme poc local
authorization lan-access radius-scheme poc local
accounting lan-access radius-scheme local poc
access-limit disable
state active
idle-cut disable
self-service-url disable

domain default enable poc

dot1x
dot1x retry 10
dot1x authentication-method eap


NETWORK INTERFACE SETTINGS

GigabitEthernet interface1 / 0/11
auto-power-down port
stp edged-port enable
undo dot1x handshake
dot1x mandatory-domain poc
undo dot1x multicast-trigger
dot1x port-method portbased
dot1x

Radius nps settings

Authentication rule

* Condition                                * Value
NAS Port                                    Type Ethernet
3Com                                          Vendor Client
Local User Groups                      local\ Domain Users
Authentication                            Type EAP

The requisition packages for authentication arrive perfectly at the NPS Server, the user to be authenticated is part of the Group specified in the rule, but the authentication is flawed, the NPS server log always presents the same reason:
Authentication failed due to a user credentials mismatch.Either the user name provided does not map 'to an existing user account of incorrect.

Anyone with the example of a rule that should be created on the NPS server?

3 REPLIES 3
drk787
HPE Pro

Re: Authenticate users with 802.1x using Radius NPS Server COMWARE 5

Hi @JCDINIZ1 

Are you still facing the issue. Can you try configuring the 'server-type standard' instead of 'extended' under 'radius scheme poc'

Also on the NPS Radius authentication rule settings, can you try excluding the 3Com as Vendor Client.

 

Thank You!
I am an HPE Employee

Accept or Kudo

JCDINIZ1
Occasional Collector

Re: Authenticate users with 802.1x using Radius NPS Server COMWARE 5

Hi @drk787 

thanks for helping

I followed your tips
When I configured "'server-type standard", see how the configuration was on the switch:

display current-configuration configuration radius-template

radius scheme poc
primary authentication 10.10.10.36 key cipher $ c $ 3 $ H8Kj1Wq6vOPbeP2 + TtyGJfp4ZepkRhjm7O8qIXxiRFZ4
primary accounting 10.10.10.36 key cipher $ c $ 3 $ kGzN8Hs + xsGVZL1cVUzso4BHi5LJnZkZePxU7z1mLspW
key authentication cipher $ c $ 3 $ EQ / Uyt6JI1DmQOA6H2tIIkhxXA0iKTiTvJDYoraGqmz9
key accounting cipher $ c $ 3 $ uEU9hsmFqhI + 1eXLXPcWSst5uaTqSbbRY7tdv3IK00s2
user-name-format without-domain
nas-ip 10.10.10.1


The "standard server-type" attribute does not appear in the configuration

 

I also removed "3Com as Vendor Client." but nothing worked

The error remains the same

Authentication failed due to a user credentials mismatch.Either the user name provided does not map 'to an existing user account of incorrect.

JCDINIZ1
Occasional Collector

Re: Authenticate users with 802.1x using Radius NPS Server COMWARE 5

Once the problem was identified, the problem was in the EndPoint, it used Windows 7 Service Pack 1 and to work with 802.1x it is necessary to install the following KB:
KB2481614
KB980295
KB976373
KB2769121
KB2736878
KB2494172
KB976210

However, a new problem arose, after the success of authentication in NPS and No Switch Windows 7 or 10 still has the status "Authentication failure" and with ip 169.X.X..X
if 802.1x is removed Windows 7 and 10 includes an ip normally.