- Community Home
- >
- Networking
- >
- Switching and Routing
- >
- Comware Based
- >
- Dot1x allowing non authenticated wired users on th...
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-07-2019 01:08 PM - edited 11-08-2019 07:58 AM
11-07-2019 01:08 PM - edited 11-08-2019 07:58 AM
Dot1x allowing non authenticated wired users on the network
Hi,
I am in the testing phase of dot1x for wired user authentication. I am using a 7506 switch running comware 5.20.
below is the global configuration:
#
radius nas-ip 10.1.2.211
#
domain default enable domain.org
#
ip ttl-expires enable
ip unreachables enable
#
lldp enable
lldp compliance cdp
#
port-security enable
#
dot1x quiet-period
dot1x timer quiet-period 30
dot1x retry 3
dot1x timer handshake-period 30
dot1x authentication-method eap
#
radius scheme radius_auth
primary authentication 10.158.50.2 key cipher xxxxxxx
primary accounting 10.158.50.2 key cipher xxxxxxx
secondary authentication 10.58.50.72 key cipher xxxxxxx
secondary accounting 10.58.50.2 key cipher xxxxxxx
user-name-format without-domain
accounting-on enable
#
domain domain.org
authentication login hwtacacs-scheme tacacs_auth local
authorization login hwtacacs-scheme tacacs_auth local
accounting login hwtacacs-scheme tacacs_auth local
authentication lan-access radius-scheme radius_auth
authorization lan-access radius-scheme radius_auth
accounting lan-access radius-scheme radius_auth
access-limit disable
state active
idle-cut disable
self-service-url disable
#
The interface configuration:
#
interface GigabitEthernet2/0/42
port link-mode bridge
description Wall Plate # 13
port link-type hybrid
undo port hybrid vlan 1
port hybrid vlan 2265 tagged
port hybrid vlan 2264 untagged
port hybrid pvid vlan 2264
undo voice vlan mode auto
voice vlan qos trust
voice vlan 2265 enable
poe enable
lldp compliance admin-status cdp txrx
qos trust dscp
port-security port-mode userlogin-secure-or-mac
undo dot1x handshake
dot1x mandatory-domain domain.org
dot1x unicast-trigger
#
The plan is to get dot1x for data VLAN and ip phones get MAB authenticated on the voice VLAN. Also, I already configured my RADIUS server (Cisco ISE). Now when I connect my laptop without a supplicant configured, the connection hangs in there for 30 seconds or so, and then I get full network access. Basically, I am not authenticating but it is still letting me in. Even when I configured my supplicant, I am still failing the authentication on the RADIUS server, but the switch is letting me in after 30 seconds. What am I missing?
Below is the output of the dot1x interface command:
<SW-HP-01>disp dot1x interface gig 2/0/42
Equipment 802.1X protocol is enabled
EAP authentication is enabled
Proxy trap checker is disabled
Proxy logoff checker is disabled
EAD quick deploy is disabled
Configuration: Transmit Period 30 s, Handshake Period 30 s
Quiet Period 30 s, Quiet Period Timer is enabled
Supp Timeout 30 s, Server Timeout 100 s
Reauth Period 3600 s
The maximal retransmitting times 3
EAD quick deploy configuration:
EAD timeout: 30 m
The maximum 802.1X user resource number is 2048 per slot
Total current used 802.1X resource number is 0
GigabitEthernet2/0/42 is link-up
802.1X protocol is enabled
Proxy trap checker is disabled
Proxy logoff checker is disabled
Handshake is disabled
Handshake secure is disabled
802.1X unicast-trigger is enabled
Periodic reauthentication is disabled
The port is an authenticator
Authentication Mode is Auto
Port Control Type is Mac-based
802.1X Multicast-trigger is enabled
Mandatory authentication domain: domain.org
Guest VLAN: NOT configured
Auth-Fail VLAN: NOT configured
Critical VLAN: NOT configured
Critical recovery-action: NOT configured
Voice VLAN: NOT configured
Max number of on-line users is 1024
EAPOL Packet: Tx 1254, Rx 230
Sent EAP Request/Identity Packets : 985
EAP Request/Challenge Packets: 0
EAP Success Packets: 0, Fail Packets: 36
Received EAPOL Start Packets : 30
EAPOL LogOff Packets: 0
EAP Response/Identity Packets : 39
EAP Response/Challenge Packets: 138
Error Packets: 0
Controlled User(s) amount to 0
Any help would be appreciated.
-JJ