HPE Community read-only access December 15, 2018
This is a maintenance upgrade. You will be able to read articles and posts, but not post or reply.
Hours:
Dec 15, 4:00 am to 10:00 am UTC
Dec 14, 10:00 pm CST to Dec 15, 4:00 am CST
Dec 14, 8:00 pm PST to Dec 15, 2:00 am PST
Comware Based
cancel
Showing results for 
Search instead for 
Did you mean: 

Wired authentication failed

 
Samir_FMC
Occasional Advisor

Wired authentication failed

Hi,

i have configured HP A5500 switch to authenticate users on the ports with NPS server

the switch configurations is as follows

dot1X

radius nas-ip 10.211.0.53
dot1x authentication-method eap

mac-authentication domain fmcdom

radius scheme radius1
primary authentication 10.211.0.53
primary accounting 10.211.0.53
key authentication cipher $c$3$OiaiAtppjUk0DHbORW5XZKm8/UAy5nWq
key accounting cipher $c$3$BiHDcmLUymY2hKlsasEbfhxp5jpIo1jx
nas-ip 10.211.0.53

domain system
authentication lan-access radius-scheme radius1 local
authorization lan-access radius-scheme radius1 local
accounting lan-access radius-scheme radius1 local
access-limit enable 30
state active
idle-cut enable 20 10240
self-service-url disable

 

then port settings

port access vlan 11
dot1x

 

=============================

but when i connect the cable it give authentication failed with my domain\username in the log....

 

can anyone help please

i need to configure this feature to authenticate computers with domain valid domain account on the network rather than using port-security.

 

 

thanks

6 REPLIES
johnk3r
Respected Contributor

Re: Wired authentication failed

In the port configuration, try these parameters:

 

undo dot1x handshake
 dot1x mandatory-domain fmcdom
 dot1x port-method portbased
 dot1x
**************************************
ATP FLEXNETWORK V3 | ACSA
Samir_FMC
Occasional Advisor

Re: Wired authentication failed

still the same

how to know where the problem is?

[FMC-Mezz-A2]dis dot1x inter g5/0/1
Equipment 802.1X protocol is enabled
EAP authentication is enabled
EAD quick deploy is disabled

Configuration: Transmit Period 30 s, Handshake Period 15 s
Quiet Period 60 s, Quiet Period Timer is disabled
Supp Timeout 30 s, Server Timeout 100 s
Reauth Period 3600 s
The maximal retransmitting times 2
EAD quick deploy configuration:
EAD timeout: 30 m

The maximum 802.1X user resource number is 1024 per slot
Total current used 802.1X resource number is 0

GigabitEthernet5/0/1 is link-up
802.1X protocol is enabled
Handshake is disabled
Handshake secure is disabled
802.1X unicast-trigger is disabled
802.1X user-ip freeze is disabled
Periodic reauthentication is enabled
The port is an authenticator
Authentication Mode is Auto
Port Control Type is Port-based
802.1X Multicast-trigger is enabled
Mandatory authentication domain: fmcdom
Guest VLAN: NOT configured
Auth-Fail VLAN: NOT configured
Critical VLAN: NOT configured
Critical recovery-action: NOT configured
Max number of on-line users is 256

EAPOL Packet: Tx 519, Rx 85
Sent EAP Request/Identity Packets : 477
EAP Request/Challenge Packets: 0
EAP Success Packets: 0, Fail Packets: 29
Received EAPOL Start Packets : 31
EAPOL LogOff Packets: 0
EAP Response/Identity Packets : 34
EAP Response/Challenge Packets: 0
Error Packets: 0

Controlled User(s) amount to 0

Samir_FMC
Occasional Advisor

Re: Wired authentication failed

is there any configuration template that i can use it?

contains port configuration and switch global configuration ?

 

thanks

luckyh
Advisor

Re: Wired authentication failed

Don't get me wrong but you have set your NAS-IP to the same as your radius server IP

As Per RFC2865:

This Attribute indicates the identifying IP Address of the NAS which is requesting authentication of the user, and SHOULD be unique to the NAS within the scope of the RADIUS server. NAS-IP-Address is only used in Access-Request packets.  Either NAS-IP-Address or NAS-Identifier MUST be present in an Access-Request packet.

so this suppossed to be the source IP of your switch requesting at the RADIUS, do you have the NAS-IPÜ (switch IP configured at the RADIUS as RADIUS client with the same secret ? otherwise your RADIUS (NPS) is not answering the request et all

Samir_FMC
Occasional Advisor

Re: Wired authentication failed

thanks for the information, now my configs are as follows

 


radius nas-ip 10.211.10.18
domain default enable system
dot1x
dot1x authentication-method eap
radius scheme radius1
primary authentication 10.211.0.53
primary accounting 10.211.0.53
key authentication cipher password
key accounting cipher password
user-name-format without-domain
nas-ip 10.211.10.18
#
domain system
authentication lan-access radius-scheme radius1 local
authorization lan-access radius-scheme radius1 local
accounting lan-access radius-scheme radius1 local
access-limit enable 30
state active
idle-cut enable 20 10240
self-service-url disable

 

interface GigabitEthernet5/0/1
port link-mode bridge
port access vlan 11
undo voice vlan mode auto
voice vlan 110 enable
apply poe-profile index 1
stp edged-port enable
dot1x re-authenticate
undo dot1x handshake
dot1x mandotory-domain system
dot1x port-method portbased
dot1x

 

is it correct?

 

luckyh
Advisor

Re: Wired authentication failed

What happens on your RADIUS, did you already debug messages to / from it ?

Do you see ACCESS_request messages arriving ?

Does your RADIUS answers with ACCESS_accept ?