- Integrated Systems
- About Us
- Integrated Systems
- About Us
06-20-2018 05:06 AM
General setup of FreeRADIUS with 3COM SuperStack® 4 Switch 5500G-EI
I am currently trying to establish a setup of a FreeRADIUS-Server together with an 3COM SuperStack® 4 Switch 5500G-EI Switch. I want to try to configure multiple things to check the capabilities of RADIUS, for example SSH Authentication to the switch with RADIUS or Port Based Network Access Control with 802.1x.
First thing, my RADIUS-Server. It is FreeRADIUS 3.0.13 on CentOS Linux release 7.5.1804 (Core). As management interface I am using Daloradius version 0.9-9. I think my radius setup is fine so far, I added some clients and users and tested the connection with the NTRadPing Test Utility (https://www.novell.com/coolsolutions/tools/14377.html):
My RADIUS debug output prints me the following when I send an authentication request (A screenshot should be attached to this post):
(0) Sent Access-Accept Id 4 from 10.1.22.135:1812 to 10.1.100.103:63899 length 0
(0) Finished request
So, looks like it is working.
Now my problem is, how do I configure the switch? I have read multiple sections from the official documentation (http://h20628.www2.hp.com/km-ext/kmcsdirect/emr_na-c02583472-1.pdf). I have tried to apply the sample configurations like the one from page 267 without success.
If I go through the steps like mentioned in the documentation and activate 802.x1 on a port, the device on that port just has no access to the network anymore. Sounds reasonable as I should have to authenticate first, If I try that with NTRadPing Test Utility, nothing ever reaches my RADIUS server.
I have created users, I have created radius schemes and domains and linked them. I created ACLs if they were needed for the configuration examples, but never my RADIUS-Server got any request from the switch.
I will post some configuration information below for the case that someone wants to have a look.
<5500G-EI>display domain 0 Domain = geutebrueck State = Active Default Scheme : RADIUS Scheme = radius1 Access-limit = Disable Vlan-assignment-mode = Integer Domain User Template: Idle-cut = Disable Self-service = Disable Messenger Time = Disable 1 Domain = system State = Active Default Scheme : Local Access-limit = Disable Vlan-assignment-mode = Integer Domain User Template: Idle-cut = Disable Self-service = Disable Messenger Time = Disable
SchemeName =radius1 Index=1 Type=standard Primary Auth IP =10.1.22.135 Port=1812 Primary Acct IP =10.1.22.135 Port=1813 Auth Server Encryption Key= secret123 Acct Server Encryption Key= secret123 Accounting method = optional Accounting-On packet disable, send times = 15 , interval = 3s TimeOutValue(in second)=3 RetryTimes=3 RealtimeACCT(in minute)=12 Permitted send realtime PKT failed counts =5 Retry sending times of noresponse acct-stop-PKT =500 nas-ip:Source-IP-address =N/A Quiet-interval(min) =5 Username format =without-domain Data flow unit =Byte Packet unit =1 calling_station_id format in lowercase Primary Auth IP =10.1.22.135 State(unit)=A(1) (A:Acitve/B:Block) Primary Acct IP =10.1.22.135 State(unit)=A(1)
<5500G-EI>display ssh user-information Username Authentication-type User-public-key-name Service-type administrator password null stelnet switchadmin password null stelnet
[5500G-EI]display dot1x interface GigabitEthernet 1/0/10 Global 802.1X protocol is enabled CHAP authentication is enabled DHCP-launch is disabled Handshake is enabled Proxy trap checker is disabled Proxy logoff checker is disabled EAD Quick Deploy is disabled Configuration: Transmit Period 30 s, Handshake Period 15 s ReAuth Period 3600 s, ReAuth MaxTimes 2 Quiet Period 60 s, Quiet Period Timer is disabled Supp Timeout 30 s, Server Timeout 100 s Interval between version requests is 30s Maximal request times for version information is 3 The maximal retransmitting times 2 EAD Quick Deploy configuration: Acl-timeout: 30 m Total maximum 802.1x user resource number is 1024 Total current used 802.1x resource number is 0 GigabitEthernet1/0/10 is link-up 802.1X protocol is enabled Proxy trap checker is disabled Proxy logoff checker is disabled Version-Check is disabled The port is an authenticator Authentication Mode is Auto Port Control Type is Mac-based ReAuthenticate is disabled Max number of on-line users is 256 Authentication Success: 0, Failed: 0 EAPOL Packets: Tx 3, Rx 0 Sent EAP Request/Identity Packets : 3 EAP Request/Challenge Packets: 0 Received EAPOL Start Packets : 0 EAPOL LogOff Packets: 0 EAP Response/Identity Packets : 0 EAP Response/Challenge Packets: 0 Error Packets: 0 Controlled User(s) amount to 0
[5500G-EI]display interface GigabitEthernet 1/0/10 GigabitEthernet1/0/10 current state : UP IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 0022-57bf-c64a Media type is twisted pair, loopback not set Port hardware type is 1000_BASE_T 1000Mbps-speed mode, full-duplex mode Link speed type is autonegotiation, link duplex type is autonegotiation Flow-control is not enabled The Maximum Frame Length is 9216 Broadcast MAX-ratio: 100% Unicast MAX-ratio: 100% Multicast MAX-ratio: 100% Allow jumbo frame to pass PVID: 1 Mdi type: auto Port link-type: access Tagged VLAN ID : none Untagged VLAN ID : 1 Last 300 seconds input: 249 packets/sec 16073 bytes/sec Last 300 seconds output: 1201 packets/sec 1490265 bytes/sec Input(total): 2967887 packets, 190970349 bytes 276 broadcasts, 2400 multicasts, 0 pauses Input(normal): - packets, - bytes - broadcasts, - multicasts, - pauses Input: 0 input errors, 0 runts, 0 giants, - throttles, 0 CRC
Any help is appreciated and I will deliver all requested information if possible,