- Community Home
- >
- Networking
- >
- IMC
- >
- UAM PEAP authN with HP5500
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-07-2015 08:06 AM
05-07-2015 08:06 AM
Hi all,
i'm trying to configure IMC with UAM (v7.0 E203) to authenticate LAN-access on HP 5500-24G HI cluster
IMC was already configured for default setup earlier, i add the UAM module on the server
This is how i configured the UAM
1. configure LDAP server
2. add root cert to user LDAP-on-SSL
3. access device configured = 5500 cluster
4. access policy, access service configured to authenticate using EAP (PEAP authN)
5. synchronize users from OU = all users are in UAM now
6. all users are having the access service provided
7. finally i configured my HP 5500 cluster to enable 802.1x globally and on 1 interface.
802.1x config is pretty much default for now, except i enabled dot1x authentication-method to eap
8. configured a radius-scheme on the 5500 cluster
9. configured domain same as the service suffix mentioned in UAM
10. on the windows 7 laptop i enabled the wired autoconfig, 802.1x is enabled on LAN interface
When i try to authenticate my laptop now, i notice an error in UAM (invalid authentication type)
I have wire-sharked the radius requests & response, there i see the wrong auth mechanism
Challenge-response from UAM is using EAP-MD5 although i setup it to use EAP-PEAP
Am i missing something here ?
Thx
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-11-2015 03:00 AM
05-11-2015 03:00 AM
Re: UAM PEAP authN with HP5500
i have been working on this issue this weekend
For now i have changed the radius scheme to sent radius request to WIndows NPS which is working immediately
Trying to upgrade my UMC to latest patch first
My setup on UAM looks fine, rather default config.
Just wanna perform auth against LDAP, phase 2 is to add guest-vlan if auth failed
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-11-2015 04:50 PM - edited 05-11-2015 04:56 PM
05-11-2015 04:50 PM - edited 05-11-2015 04:56 PM
SolutionI run similar setup - see my earlier posts for some setup examples.
Being at the latest version is a good thing, but be aware the latest version is 7.1 E302P10. Versions after 7.1E302 but before P10 would not authenticate computers properly only users.
For this to work, under user access policy, set Certificate Authentication to EAP, Certificate Type to EAP-PEAP AuthN, Certificate Sub-Type to MS-CHAPV2 AuthN
Under service paramters, certificates set the root certificate and the imc server certiicate to match your AD domain. Under system settings, set the Domain controller-assisted PEAP settings - use windows 2003 or earlier even if not (may be fixed now, but if nothing works try the other way)
Hope this helps
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-17-2015 03:57 PM
05-17-2015 03:57 PM
Re: UAM PEAP authN with HP5500
I did change the domain level to 2003 already in domain assisted PEAP settings already although the domain functional level is 2008R2 but it didn't resolve my issue.
Now i am upgrading my IMC and UAM version to 7.1 and let's see if it is resolved there
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-02-2015 03:37 AM
06-02-2015 03:37 AM
Re: UAM PEAP authN with HP5500
Thx Neil, i have managed to get this thing working somehow
I have upgraded the IMC and UAM versions to P10
I can work on this now, but if the laptop reboots it starts authenticating using computer account instead of user name
With the computer account authentication fails, if i change 802.1x settings on client to user authentication only i can login fine.
One last thing, is it possible to grant a guest VLAN in IMC/UAM if authentication fails or is this a config setting on the ComWare device ?
interface GigabitEthernet7/0/22
port link-mode bridge
description **Client-Access-Port**
port link-type hybrid
port hybrid vlan 1 untagged
loopback-detection enable
broadcast-suppression pps 3000
poe enable
stp edged-port enable
dot1x auth-fail vlan 18
undo dot1x handshake
dot1x mandatory-domain domain
undo dot1x multicast-trigger
dot1x
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-02-2015 06:05 PM
06-02-2015 06:05 PM
Re: UAM PEAP authN with HP5500
I tried UAM P10 and it would not authenticate the computer account, only the user account. So I rolled back.
So either still broken, or something in the new settings needs to be added, or the update from older settings is not complete/corrupted. To use computer auth, roll UAM back to E0302. It seems to run ok with the rest of IMC at latest P10.
I'll have to do some trouble shooting with HP I guess.
When laptop boots it uses computer auth and fails, but when user logs in should reauthetincate with user credentials. OK if user has previously logged in but new users out of luck.
I use provision for access switch, so there is an unauth VLAN option - it will open a port on vlan xx if authentication fails. I use this as defacto guest vlan, with access to Domain controller/DNS, dhcp and public internet.
Looks like your comware config will do the same, but not so up on comware.
for comware you also have this option, to redirect to guest byod portal for mac registration authentication. Covered here by Peter Debruyne:
http://abouthpnetworking.com/2014/01/30/comware-portal-redirect-for-byod-use/
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-05-2015 05:33 AM
06-05-2015 05:33 AM
Re: UAM PEAP authN with HP5500
Hi Neil,
sry for my late reply but i got things working for user auth and guest vlan
I made a mistake in interpretation, i set my internal network as PVID VLAN ID and set then the guest-vlan ID to be pushed if authentication fails
port link-type hybrid
port hybrid vlan 1 untagged
port hybrid pvid vlan 1
dot1x guest-vlan 18
But i had to set the guest VLAN id as default PVID and set that as guest-vlan
Using the IMC UAM auth was the user provided with the right VLAN ID
So afterward the config looked like
port link-type hybrid
port hybrid vlan 18 untagged
port hybrid pvid vlan 18
undo port hybrid vlan 1
dot1x guest-vlan 18
Then it was working fine as it should .... for now
In a late stage i will need to set multiple authentication scheme on the switch
THe customer wants to authenticate also thin clients and printers on its network, now we only do 802.1x for administartie clients
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-05-2015 09:14 AM
06-05-2015 09:14 AM
Re: UAM PEAP authN with HP5500
thx for the update.
printers and phones I authenticate using MAC address. Even though some printers can do 802.1x the supplicants are not very smart. So I have 802 & MAC on same ports.
You can set that up in Mute Terminal User Configuration Profile, using part or all of the MAC to auto generate the user, or find them in User > User Access Log > Authentication Failure Log, and add them as user from there. Or bulk import them.
Did you get computer authentication to work with UAM P10? If so how?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-10-2015 02:08 PM
06-10-2015 02:08 PM
Re: UAM PEAP authN with HP5500
I didn't use computer authentication on this, user authentication was enough for this project
But i should have a further look in other projects