HPE Community
IMC
1751948 Members
4752 Online
108783 Solutions
New Discussion юеВ

Re: UAM PEAP authN with HP5500

 
SOLVED
Go to solution
hansvb
Frequent Advisor

тАО05-07-2015 08:06 AM

тАО05-07-2015 08:06 AM

UAM PEAP authN with HP5500

Hi all,

 

i'm trying to configure IMC with UAM (v7.0 E203) to authenticate LAN-access on HP 5500-24G HI cluster

IMC was already configured for default setup earlier, i add the UAM module on the server

This is how i configured the UAM

1. configure LDAP server

2. add root cert to user LDAP-on-SSL

3. access device configured = 5500 cluster

4. access policy, access service configured to authenticate using EAP (PEAP authN)

5. synchronize users from OU = all users are in UAM now

6. all users are having the access service provided

7. finally i configured my HP 5500 cluster to enable 802.1x globally and on 1 interface.

     802.1x config is pretty much default for now, except i enabled dot1x authentication-method to eap

8. configured a radius-scheme on the 5500 cluster

9. configured domain same as the service suffix mentioned in UAM

10. on the windows 7 laptop i enabled the wired autoconfig, 802.1x is enabled on LAN interface

 

When i try to authenticate my laptop now, i notice an error in UAM (invalid authentication type)

I have wire-sharked the radius requests & response, there i see the wrong auth mechanism

Challenge-response from UAM is using EAP-MD5 although i setup it to use EAP-PEAP

 

Am i missing something here ?

Thx

 

0 Kudos
8 REPLIES 8
hansvb
Frequent Advisor

тАО05-11-2015 03:00 AM

тАО05-11-2015 03:00 AM

Re: UAM PEAP authN with HP5500

i have been working on this issue this weekend

For now i have changed the radius scheme to sent radius request to WIndows NPS which is working immediately

Trying to upgrade my UMC to latest patch first

 

My setup on UAM looks fine, rather default config.

Just wanna perform auth against LDAP, phase 2 is to add guest-vlan if auth failed

 

0 Kudos
NeilR
Esteemed Contributor

тАО05-11-2015 04:50 PM - edited тАО05-11-2015 04:56 PM

тАО05-11-2015 04:50 PM - edited тАО05-11-2015 04:56 PM

Solution

Re: UAM PEAP authN with HP5500

I run similar setup - see my earlier posts for some setup examples.

 

Being at the latest version is a good thing, but be aware the latest version is 7.1 E302P10. Versions after 7.1E302 but before P10 would not authenticate computers properly only users.

 

For this to work, under user access policy, set Certificate Authentication to EAP, Certificate Type to EAP-PEAP AuthN, Certificate Sub-Type to MS-CHAPV2 AuthN

 

Under service paramters, certificates set the root certificate and the imc server certiicate to match your AD domain. Under system settings, set the Domain controller-assisted PEAP settings - use windows 2003 or earlier even if not (may be fixed now, but if nothing works try the other way)

 

Hope this helps

0 Kudos
hansvb
Frequent Advisor

тАО05-17-2015 03:57 PM

тАО05-17-2015 03:57 PM

Re: UAM PEAP authN with HP5500

I did change the domain level to 2003 already in domain assisted PEAP settings already although the domain functional level is 2008R2 but it didn't resolve my issue.

Now i am upgrading my IMC and UAM version to 7.1 and let's see if it is resolved there

0 Kudos
hansvb
Frequent Advisor

тАО06-02-2015 03:37 AM

тАО06-02-2015 03:37 AM

Re: UAM PEAP authN with HP5500

Thx Neil, i have managed to get this thing working somehow

I have upgraded the IMC and UAM versions to P10

 

I can work on this now, but if the laptop reboots it starts authenticating using computer account instead of user name

With the computer account authentication fails, if i change 802.1x settings on client to user authentication only i can login fine.

 

One last thing, is it possible to grant a guest VLAN in IMC/UAM if authentication fails or is this a config setting on the ComWare device ?

 

interface GigabitEthernet7/0/22
 port link-mode bridge
 description **Client-Access-Port**
 port link-type hybrid
 port hybrid vlan 1 untagged
 loopback-detection enable
 broadcast-suppression pps 3000
 poe enable
 stp edged-port enable
 dot1x auth-fail vlan 18
 undo dot1x handshake
 dot1x mandatory-domain domain
 undo dot1x multicast-trigger
 dot1x

 

0 Kudos
NeilR
Esteemed Contributor

тАО06-02-2015 06:05 PM

тАО06-02-2015 06:05 PM

Re: UAM PEAP authN with HP5500

I tried UAM P10 and it would not authenticate the computer account, only the user account.  So I rolled back.

 

So either still broken, or something in the new settings needs to be added, or the update from older settings is not complete/corrupted. To use computer auth, roll UAM back to E0302. It seems to run ok with the rest of IMC at latest P10.

 

I'll have to do some trouble shooting with HP I guess.

 

When laptop boots it uses computer auth and fails, but when user logs in should reauthetincate with user credentials. OK if user has previously logged in but new users out of luck.

 

I use provision for access switch, so there is an unauth VLAN option - it will open  a port on vlan xx if authentication fails. I use this as defacto guest vlan, with access to Domain controller/DNS, dhcp and public internet.

 

Looks like your comware config will do the same, but not so up on comware.

 

for comware you also have this option, to redirect to guest byod portal for mac registration authentication. Covered here by Peter Debruyne:

 

http://abouthpnetworking.com/2014/01/30/comware-portal-redirect-for-byod-use/

 

 

 

 

0 Kudos
hansvb
Frequent Advisor

тАО06-05-2015 05:33 AM

тАО06-05-2015 05:33 AM

Re: UAM PEAP authN with HP5500

Hi Neil,

 

sry for my late reply but i got things working for user auth and guest vlan

I made a mistake in interpretation, i set my internal network as PVID VLAN ID and set then the guest-vlan ID to be pushed if authentication fails

 

port link-type hybrid
port hybrid vlan 1 untagged
port hybrid pvid vlan 1
dot1x guest-vlan 18

 

But i had to set the guest VLAN id as default PVID and set that as guest-vlan

Using the IMC UAM auth was the user provided with the right VLAN ID

So afterward the config looked like

 

port link-type hybrid
port hybrid vlan 18 untagged
port hybrid pvid vlan 18
undo port hybrid vlan 1
dot1x guest-vlan 18

 

Then it was working fine as it should .... for now

 

In a late stage i will need to set multiple authentication scheme on the switch

THe customer wants to authenticate also thin clients and printers on its network, now we only do 802.1x for administartie clients

0 Kudos
NeilR
Esteemed Contributor

тАО06-05-2015 09:14 AM

тАО06-05-2015 09:14 AM

Re: UAM PEAP authN with HP5500

thx for the update.

 

printers and phones I authenticate using MAC address. Even though some printers can do 802.1x the supplicants are not very smart. So I have 802 & MAC on same ports.

 

You can set that up in Mute Terminal User Configuration Profile, using part or all of the MAC to auto generate the user, or find them in  User > User Access Log > Authentication Failure Log, and add them as user from there. Or bulk import them.

 

Did you get computer authentication to work with UAM P10? If so how?

0 Kudos
hansvb
Frequent Advisor

тАО06-10-2015 02:08 PM

тАО06-10-2015 02:08 PM

Re: UAM PEAP authN with HP5500

I didn't use computer authentication on this, user authentication was enough for this project

But i should have a further look in other projects

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.