HPE Community
IMC
1829142 Members
6623 Online
109986 Solutions
New Discussion

802.1x UAM authentication

 
SOLVED
Go to solution
hawada
Occasional Advisor

‎07-17-2017 02:57 AM

‎07-17-2017 02:57 AM

802.1x UAM authentication

Hi,

I am new to HP IMC.

I have configured IMC and added UAM to it.

I want to create 802.1x on IMC-UAM with a Cisco switch. I have configured aaa on the switch and everything seems perfect, also I have integrated my Domain controller with IMC and install the certificate. Users can login properly when adding their credentials but they are not set in the appropriate VLAN. At the site we have one Domain controller  with several Organization Unit (OU) , example: OU="Sales" and OU="IT", what I want is that when user for Sales OU tries to authenticate I want him to get IP from VLAN 20, and when the user is in IT out I want him to be assigned IP from VLAN 30.

I saw Deploy VLAN in User>User Access Policy >Access Policy >Modify Access Policy but it didn't work.

Awaiting your kind reply

0 Kudos
2 REPLIES 2
NeilR
Esteemed Contributor

‎07-17-2017 10:14 AM

‎07-17-2017 10:14 AM

Solution

Re: 802.1x UAM authentication

The UAM module in IMC has a lot of flexibility and also complexity. The documentation is a bit hard to follow, but there are some example files as well.

I'm running HP procurve switches - so not as familiar with cisco but should work similarly. To make your scenario work you need to first define an access service for each group, Users and IT.

For each access service you need an access policy to match (there are situations where you would combine multiple access polices on 1 access service). Each policy will deploy the target VLAN, one for 20, one for 30.

Since you have IMC talking to AD, you have created a sync Policy to move the users over, and since they are authenticating, you have set up the virtual workstation to proxy credential authentication to AD, as LDAP can't get AD passwords directly. If any of that is not true, then you will need to set it up.

The sync policy maps the the users source AD security Group to the access service and its access policy for the desired VLAN. On the first screen, the Base DN and filters are setup. The users are imported from AD starting at the sub Base DN.

On the next screen, under AD group and service, specify the AD group to service mapping using the LDAP notation for group name. This may be where you are having problems as it is the GROUP membership that completes the mapping of user to access service, not the OU the user is in.

So for your plan to work, you need either:

  • two sync policies each pulling users from a different OU (and then they can be in a common AD security group like Domian users), one  access service applied for each sync policy
  • One sync policy, with users in 2 different AD security groups, each mapped to  a different access service

So OU is where the users are imported from, AD group membership maps the service.

In case the cisco switch needs special RADIUS attributes for some reason, or you need to deploy tagged vlans to the ports as well, you can set proprietary attributes under Access device management - these are then associated with the access service.

Hope this helps. Other posts on this forum are helpful as well.

0 Kudos
hawada
Occasional Advisor

‎07-24-2017 06:08 AM

‎07-24-2017 06:08 AM

Re: 802.1x UAM authentication

Hello NeilR,

Thanks for your kind support.

Sorry for the late reply but today I was able to test it.

My case was solved by following the mentioned steps.

Regards,

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.