- Community Home
- >
- Networking
- >
- IMC
- >
- Re: dot1x authentication
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-10-2014 01:07 AM - edited 12-10-2014 02:01 AM
12-10-2014 01:07 AM - edited 12-10-2014 02:01 AM
Re: dot1x authentication
Hi and thanks again for your replies.
there is an interesting situation here about how iMC treats users. I have 2 users exact in the same OU in the same domain, even with the same fields fiiled on their Properties windows. both of them are displayed as LDAP users in the IMC. but login using one of them causes a "Invalid Password" on the "Authentication Failure log" page on IMC, but with another one, there is nothing on the "Authentication Failure log" page, but with "Reply-message: No This User" inside captured files that I've collected on IMC server!!
besides, I don't think that IMC doesn't recognise both users, becasue when I enteres non-existant user, it shows another error message: "E63018::The user does not exist or has not subscribed for this service."
so if the IMC recognise the users and it shows their names as LDAP user in its list, so what can be the possible problem?
I will try to create the LDAP and Sync policy from the ground with the options you have said and see what will happen.
edit: now I'm defining Sync policy. but I don't understand some parameters. for example, on the "Add Sync Policy" page, what is the "Password" in the "Access Information" area? I'm attaching the snapshot tho the port. tnx a lot.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-10-2014 12:21 PM
12-10-2014 12:21 PM
Re: dot1x authentication
Hmm - strange. But may be related to your config question. The password field in the sync policy needs to be filled in - does not matter with what, as its ignored, but empty won't work - maybe means no password if empty?
This is covered somewhere in IMC UAM docs, and I thought/hoped I mentioned in my PDF files (if not sorry)
Attached is screen shot of synched LDAP user info. Basic info is the fields synched from AD. Account name is from SAMaccountname. Should also show a service name associated.
If you had set synch users as needed I found that works for some but not all of the synch options - I'm using AD group membership to set access policy and for whatever reason did not work, so I need to use the scheduled full synch.
If you synch them manually you can see any errors that occur, but it will bring over the full OU that you specify.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-12-2014 09:34 PM
12-12-2014 09:34 PM
Re: dot1x authentication
I haven't fully read the posts in this thread, just skimmed because I'm short on time but a few things:
- If you are getting password errors, you might look in "domain controller assisted PEAP" settings (via Quick start link in the bottom box, or under service parameters-->system settings (within the user access policy menu. This will seem the opposite of intuitive, but if you are getting auth failures for users, you may set the "Domain controller OS version" to windows 2003 or earlier.
- The password in the sync policy is not relevant, I believe it only comes into play if you unbind the access users from LDAP after sync I believe, but it can be garbage (mine is literally "garbage") as the passwords will be verified with the AD server upon login.
- For users synced with LDAP, the "sync users ad needed" function does not apply. You would accomplish the same by making the default access service for LDAP synchronized users a service that uses PEAP-MSChapv2 AuthN. (vs access forbidden). The unknown user attempting PEAP-MSchapv2 will default to the service specified in the sync policy. IMC will query AD for the user to authenticate and it will add it if the user is found (regardless of pass/fail). From the help menu in the sync policy:
To synchronize LDAP users on demand in PEAP/MS-CHAPv2 authentication, make sure the following conditions are met: (1) A default access policy is configured for the service that is assigned to the synchronized LDAP users. (2) The Access Forbidden option is not configured for the default access policy. (3) The EAP-PEAP AuthN and MS-CHAPv2 AuthN options are configured for the default access policy. When an LDAP user initiates an EAP authentication process for the first time, UAM checks whether the user meets the previous conditions. If it is, UAM synchronizes the LDAP user account as a regular access account, regardless of the result of user authentication.
- If you get an "invalid authentication type" it probably means the access service associated with the user is dropping it to an access policy for a different AuthN type then what the supplicant is configured for on the client.
Hopefully some of that is useful,
PL
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-20-2018 04:08 AM
07-20-2018 04:08 AM
Re: dot1x authentication
HI ,
i am using printer machine with Hp procurve switches, i am getting authentication problem ,
Description
I configure machine with 802.1x authentication, with 100 mbps LAN speed, after my work done i put my machine in deep sleep mode,when i wake up my machine it not authenticate 802.1x,(MD5) after few mins i remove the lan cabel and switch it again it start working.
my question is while it came from wake to normal mode, why it not authenticate ?
note : in deep sleep mode speed is 10 Mbps.
waiting your reply, plz help me on that.
regards,
biswa
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-20-2018 12:27 PM
07-20-2018 12:27 PM
Re: dot1x authentication
Unplugging the cable changes the link state explicitly for both the switch and the printer - but the sleep/wake state change may be different for either the switch or the printer. If the printer wakes up but doesn't resend the credentials, or the switch doesn't see wake then authentication won't complete. There are timers for the authentication that you can try - I have the same switches/printers and recall the same problem.
I gave up and went to MAC authentication for printers. There are usually less printers then users so managing MAC IDs is easier. Or you can use the aut registration feature where you can use the first 6 of the mac to auto add as users. THis is done under Mute terminal user config.
You will also have to set your ports for mac or mac/802 authentication and add access policies to uam to handle MAC authetnication if you are using it
- « Previous
- Next »