HPE Community read-only access December 15, 2018
This is a maintenance upgrade. You will be able to read articles and posts, but not post or reply.
Hours:
Dec 15, 4:00 am to 10:00 am UTC
Dec 14, 10:00 pm CST to Dec 15, 4:00 am CST
Dec 14, 8:00 pm PST to Dec 15, 2:00 am PST
IMC
cancel
Showing results for 
Search instead for 
Did you mean: 

IMC UAM 802.1X

 
SOLVED
Go to solution
Nico75d
Occasional Contributor

IMC UAM 802.1X

Good afternoon everyone,

Let me explain my configuration :

MSchapV2 for the authentication, EAP-PEAP. So i want to authenticate users in a domain(or not for test purpose).
I put IMC on the DC windows ( there is no more specifications on IMC UAM E0403 for the fonctional forest 2003 or 2008).

Some steps :

I enabled with/without domain on NAC and / delimiters parameters.
I can export LDAP users to UAM
UAM EAP ROOT and SERV generated from AD CS
I can join Microsoft Client to a domain.

Topology :

ActiveDirectory-----IMC----NAC(A5120EI)-------EndUser(Linux-Windows-Mac)

  • iMC PLAT 7.2 (E0403)
  • IMC UAM 7.2 (E0403)
  • Windows Server 2012 Standard ( Active Directory)
  • CentOS 6.7 & MySQL5.1

Problem :

My 802.1X is working on Linux, there is no disconnection on link state.
On windows 8 and MacOS10.11, the 802.1X is disconnected after 3-5 seconds and tried to reconnect (not stable).
But there are no logs in the IMC's GUI cause all clients can reach the network though 802.1X.

 

I share you interesting debugs/traces.
(The StartChapV2JServer_2016-01-20.log shown the exemple of default configuration...)

Thanks for your time.

 

4 REPLIES
Pack3tL0ss
Valued Contributor

Re: IMC UAM 802.1X

Can you share some screenshots or description of the options set in your Access Service, Access Policy, and maybe your LDAP sync policy as well? 

Nico75d
Occasional Contributor

Re: IMC UAM 802.1X

Hello,

I shared all the process.

The authentification still works for users, the NAC tells me the user of the domain is ok.
But I still have this issue on Windows and Mac.
I submit domain/user + password. the switch said ok, i have my dhcp pushed over 802.1x  and I can access to all the network, after 3-5 secondes Windows Network Manager change the message : Active Connection to Authentication attempt.

( I did not put more informations on the switch, i just pushed the AAA through the Access Device Management)

Can it be a certificate problem  ?

Thank you.

NeilR
Respected Contributor

Re: IMC UAM 802.1X

Reviewing your png's looks like you are using 7.2? I'm not there yet, looks like there are a few changes.

If you have used your AD's certs for root and server these should be good. Remember that these do not auto renew, so manually renew before they expire.

In 802.1x config on client make sure the client has the root cert checked as trusted CA OR uncheck the validate server certificate. If validate is checked and no cert = fail

I notice your max Bound & Online endpoints is set to 0 - that may NOT be unlimited, so try setting these at a value. I've posted my service and access policy settings from 7.1

Your LDAP settings look good.

On switch I did set other params for ports but the basic deploy should work. I'm using both MAC and 802 so I have service policy/service for each

Nico75d
Occasional Contributor
Solution

Re: IMC UAM 802.1X

Hello,

Thanks for your time.

I found my problem with Windows and Mac Machines.

 

On linux, the dot1x is stable.
But for Windows users i need  undo dot1x handshake  on my HP switch. Windows cant' handle connection more than 2 minutes. The message Media State still display Attempt if you do not put  undo dot1x handshake on the specific port.

Now, it works great GPO+802.1X+DC.