IMC
cancel
Showing results for 
Search instead for 
Did you mean: 

dot1x authentication

 
timaz
Advisor

dot1x authentication

Hi; I configured IMC with UAM (User Authentication Module) and did managed to add Access Users for device management through Telnet and SSH.

but I need to enable dot1x authentication, so whenever a user connects its computer to switch port, it requests 802.1x authentication to switch and then to IMC. for this yo work, I added an Access User with Access Class and relative Access policies and Access Scenarios; but it did not worked. I enabled 802.1x on a notebook with Win8, but how can I set the authenticating protocol on IMC among various options (PEAP, EAP-TLS, ...). if you have any idea about how to make 802.1x to work, let me know. tnx.

24 REPLIES
timaz
Advisor

Re: dot1x authentication

really isn't there anybody who have used HP IMC to authenticate users with 802.1x? I think authenticating users with IMC (as a RADIUS server) is one of important roles of IMC. anyway, if every one of you has experienced this, please let me know the details. do I need to install HP iNode on every client PC or I can use Windows built-in mechanism for 802.1x authentication? tnx.

NeilR
Respected Contributor

Re: dot1x authentication

Yes I'm currently running it with both 802.1x and MAC authentication on every port. Not using inode.

 

Please review this post further back - 4 or 5 on the list: 

 

Computer account issue in IMC/UAM for 802.1x authentication

 

in various replies from me, i give explanation and screen shots for pretty much everything you need to do except for switch configuration, including client adapater settings.

 

Hope it helps

 

Neil

timaz
Advisor

Re: dot1x authentication

Thanks for your reply. I will test it 4 sure. but for now I want to configure authentication just by the usernames and passwords with IMC local Authentication DB. for this I added the All Access User with relative Scenarios, Policies, etc and enabled the 802.1x on NIC of a client computer which runs Windows 8.1. the switch that I've connected the mentioned client computer is configured for dot1x and is ready to forward authentication requests to IMC. What can be done after this point? do I need to configure any certificate or enable any authentication protocol beyond what I've done up to now? tnx a lot.

NeilR
Respected Contributor

Re: dot1x authentication

I think you still use peap eap and ms chap v2 but turn off use windows credentials in the adapter (unless they match?). The windows will pop up a user and password box where you enter the uam credential.

Otherwise try md5 instead of mschap

I'm not running that local option for windows users
NeilR
Respected Contributor

Re: dot1x authentication

if you use windows credentials it sends domain\username, so I think for local user you need to turn it off
timaz
Advisor

Re: dot1x authentication

"Automatically Use My Windows Login Name And Password" option is disabled on my computer. I just enabled the "Wired AutoConfig Service" in services console, then on the "Authentication" tab of the NIC Properties, selected the "Microsoft Protected EAP or PEAP" and clicked on the Additional Settings, then selected the "User Authentication" option. but after connecting the port to the switch, nothing happens and I cannot reach the network. what can I do?

NeilR
Respected Contributor

Re: dot1x authentication

As I'm not using this way, im out of specific suggestions. The way I analyzed the setup was to use both the authentication error log under users and wire shark to observe the behavior and try different settings to understand it.

Sorry I can't help more without setting up a test network and doing the analysis.
timaz
Advisor

Re: dot1x authentication

Hi; I did managed to configure parameters in such a way that no the Username and Password prompt appears while connecting client to the switch port. but despite the username and password are correct, athentication fails with the error message that indicates " Invalid Authentication Type" on IMC . I've configured authentication on IMC Server as following:

 

Certificate Authentication: EAP
Certificate Type: EAP-PEAP AuthN
Certificate Sub-Type: MS-CHAPV2 AuthN

 

but I 'm just using the username and password and did not setup any certificate on any system. the IMC sees the login attemp but it seems there are some misconfiguration about authentication methds. besides, I've activated the 802.1x on the client NIC and selected just the "User Authentication" with PEAP ans MS-CHAPv2. any idea?

NeilR
Respected Contributor

Re: dot1x authentication

hmm. IMC side looks right.

 

Based on what you wrote, not sure how you are sending the UAM credentials from the windows client w/o the user & password prompt. Where/how did you configure that?

 

On the windows client, PEAP settings I would try unchecking validate server certificate, (if you have this checked I think it will try and use the cleint certificate which might explain the error)

 

then next to authentication method, secured password (eap-mschapv2), press configure button and uncheck send my windows credentials. 

 

This should prompt you on the client for a userid and password, which should be what you configured in UAM, not your windows ID/password. The client can't send them any other way as far as I know, unless you figured out some other method. 

 

 

timaz
Advisor

Re: dot1x authentication

I tested the same configurarion with another RADIUS server and it worked well. I know that we can use username/password instead of certificates but I think we need to setup a certificate regardless of using the "username" and "password"in this case!! "Invalid Authentication Type" is some type of strange error, in which I've used just the same protocols on the both sides.

Besides, I've disabled the "use of windows credentials" and enabled just "user authentication" rather that "user and computer authentication" on the NIC properties on the client PC.

NeilR
Respected Contributor

Re: dot1x authentication

OK - I get that you have made it worked with other radius server - could you tell or find out what kind of authentication type it accepted? Maybe in its logs?

 

Then you would know more about what kind of authentication your client is sending.

 

Invalid authentication type may occur for different types of errors. I see it on my setup when an 802.1x client authenticates on a port with both 802 & mac set. The mac authentication fails as the client is sending 802 - that's why I asked about that. So I see a mac failure with invalid auth type, and an 802 success.

 

Again you probably want to use wireshark - you can see what type of radius packets are being sent, and some different information on why the challenge is failing

 

UPDATE: Now that I had a few minutes to test this out, I have no problem making this work:

 

IMC/UAM - created user, password, assigned a service/policy 

Switch: 802.1x/MAC authentication

Windows 7 client, not in my domain: 802.1x enabled, PEAP/MSCHAPV2 (no validate server cert, no windows credentials), no saved credentials.

 

Entered credentials on client - IMC says authenticated, Switch says authenticated, VLAN is deployed, and user is connected.

 

So not sure what your issue is - works as designed as far as I can tell. Perhaps a problem with your access device configuration or policy/service configurations.

timaz
Advisor

Re: dot1x authentication

Hi; First of all, I would like to thank you for your replies. anyway, I used another laptop as client and again did not managed to authenticate it. I'm using Cisco 3560 switch as Authenticator. from debugs (dot1x and radius debugs) I tracked that switch did well as authenticator and because of "Access Reject" message received by IMC UAM, it blocks user access. I don't know which parameter is different on both sides that causes this. this is what I got on switch:

 

RADIUS: Received from id 1645/3 10.1.1.6:1645, Access-Reject, len 83
RADIUS:  authenticator 9E 5A 0F D2 72 BB 6A 91 - DF F4 29 31 08 74 86 D0
RADIUS:  EAP-Message         [79]  7
RADIUS:   00 03 00 05 23                 [ #]
RADIUS:  Reply-Message       [18]  38
RADIUS:   45 36 33 30 35 33 3A 20 49 6E 76 61 6C 69 64 20  [E63053: Invalid ]
RADIUS:   61 75 74 68 65 6E 74 69 63 61 74 69 6F 6E 20 74  [authentication t]
RADIUS:   79 70 65 2E              [ ype.]
RADIUS:  Message-Authenticato[80]  18
RADIUS:   6C 77 14 A5 1C A5 17 BB A2 80 97 AA C7 88 E4 BE                [ lw]
RADIUS(00000002): Received from id 1645/3

 

so would you mind please, comparing the settings on my Access Policy in IMC with your own working Access Policy. I will appreciated.

 

-------------------------------------------------------

Basic Information:
Access Policy Name: Policy01  
Service Group: Ungrouped  
Description: -

 

Authorization Information:
Access Period: No Limit        Allocate IP: No
Downstream Rate(Kbps): -       Upstream Rate(Kbps): -
Priority: - 
RSA Authentication: -
Certificate Authentication: EAP  
Certificate Type: EAP-PEAP AuthN       Certificate Sub-Type: MS-CHAPV2 AuthN
Deploy VLAN: -  
Deploy User Profile: -
Deploy User Group: - 
Deploy ACL: -

 

and nothing selected in the "Authentication Binding Information" and "User Client Configuration" sections.

------------------------------------------------------------------------------------------------------------------

 

settings of Client NIC:

 

on Authentication tab:

Enable IEEE 802.1x Authentication (checked)

Microsoft: Protected EAP (PEAP)

Remember My Credentials For This Connection Each Time (Checked)

Fallback to Unauthorized Network Access (Checked)

 

after clicking on the Settings button "Protected EAP Properties" page appeares, I cleared every checkbox on this page. after clicking the "Configure" button on the "Protected EAP Properties" page a page appears and I unchecked the "Automatically Use My Windows Logon..." option too.

 

and again on the Authentication tab on NIC Properties on Client computer, after clicking on "Additional Settings" a page appears and on that page, I checked the "Specify Authentication Mode" and selected "User Authentication" option. no other checkbox are selected on this page.

 

and this is switch's config, in the case you want futher info:

 

------------------------------------------------------

Switch(config)#do sh run | inc aaa|username|authentication|dot1x|radius


username cisco privilege 15 password 0 cisco
aaa new-model
aaa authentication login default group radius local
aaa authentication dot1x default group radius local
aaa authorization network default group radius local
aaa session-id common
dot1x system-auth-control

!

interface g0/10

 switchport mode access
 authentication port-control auto
 dot1x pae authenticator
radius-server host 10.1.1.6 auth-port 1645 acct-port 1646 key cisco

-------------------------------------------------------

 

 

thank you for your time.

NeilR
Respected Contributor

Re: dot1x authentication

Regards to radius log - looks like the response to the challenge sent. You also want to look for what was sent to the radius server. You may need to know what the request was. All you see is that is rejected.

 

Regards to Policy - I assume that you have a service that points to the policy. the user account points to service points to policy. If you don't link service to policy, the default is access forbidden.

 

Also assume your switch has desired vlan set as untagged for that port as you don't deploy one in the policy. But that's not affecting authentication

 

On Nic - My settings as indicated

 

on Authentication tab:

Enable IEEE 802.1x Authentication (checked) - YES

Microsoft: Protected EAP (PEAP) - YES

Remember My Credentials For This Connection Each Time (Checked) - YES

Fallback to Unauthorized Network Access (Checked) - NO, but doesn't matter

 

after clicking on the Settings button "Protected EAP Properties" page appeares, I cleared every checkbox on this page.  - YES, but Fast reconnect optional - may improve re-authentication time

 

after clicking the "Configure" button on the "Protected EAP Properties" page a page appears and I unchecked the "Automatically Use My Windows Logon..." option too. - YES

 

and again on the Authentication tab on NIC Properties on Client computer, after clicking on "Additional Settings" a page appears and on that page, I checked the "Specify Authentication Mode" and selected "User Authentication" option. no other checkbox are selected on this page. - YES

 

Client looks good - with these settings it should prompt you to click in tray area and enter credentials - more information needed or something like that.

 

Regards to switch - don't have cisco, only procurve. But what's there looks ok - however wouldn't know if you omitted something.

 

Assume that you added device to access devices and specified type as cisco, then deployed AAA config, synched ports etc:

 

User>User Access Policy>Access Device Management>Access Device 

 

This is how UAM knows the radius key, types of parameters, and port configurations etc.

 

 

 

 

timaz
Advisor

Re: dot1x authentication

Hi; thank you for your detailed answers my friend ;)

 

as you said, I've created an Access Service and have bound it to a Access Condition (with just an simple Workhours Access Period policy) and an Access User for sure. It might help if I say I did managed to successfuly authenticate "Device Users". I mean the switch can communicate with IMC in authenticating of users that want to login to devices (switches, routers). but for any reason I cannot authenticate dot1x users while any user wants accessability to the network. my last portion of configuration on IMC is like this:

 

--------------------------------------------------------------------

 

Access Service Details:

 

Basic Information:
Service Name: TEST_ACCESS_SERVICE        Service Suffix: -
Service Group: Ungrouped           Default Access Policy: Access Forbidden
Default Proprietary Attribute Assignment Policy: Do not use  
Default Max. Number of Bound Endpoints: 0             Default Max. Number of Online Endpoints: 0

Available (Checked)

Transparent Authentication on Portal Endpoints (unchecked)

 

Access Scenario Name: TEST_ACCESS_SCENARIO 
Access Policy: Policy01    
Proprietary Attribute Assignment Policy: Do not use

 

------------------------------------------------------------------

 

for any attempts, it says "Invalid Authentication". when I want to login as unknown and non-existant user, it says that the user doesn't exist and this means it can check the user DB, but actually there is some mismatched authentication parameter that I cannot find.

NeilR
Respected Contributor

Re: dot1x authentication

The switch will be using a different authentication type - PAP or CHAP or MD5 - when authenticating the "device user".  Switches do not usually speak eap/mschapv2. The switch is making the request for authentication to the radius server.

 

For the "access user" as iMC refers to it, the switch is only forwarding the request that the client is making on the port. The switch is only providing a key to the radius server to prove its own identity (using the key in the setup) and then sending on the request. It does not reformat the request - the client is using a different method to request authentication as "access user" then the switch is to authenticate "device user". One may work, but won't guarantee the other will.

 

When the radius server gets this from the switch it needs to know how to decode it. Then it responds back to the switch with specific info on how to set the port.

 

In your last reply, was not sure if/how you had configured the access device settings. See attched screen shot.

 

If you have it set up this way, maybe try the general setting instead of cisco. But make sure it is set to access user, not device user.

 

Also confirm that you did deploy the AAA configuration and synchronize the ports. 

timaz
Advisor

Re: dot1x authentication

Hi; I changed the device mode from "Cisco (General)" to "Standard" and even changed the "Service Type" from "Device Management Service" to "LAN Access Service" and again faced with the same error "Invalid Authentication Type"!

It is so interesting. even I tried integrating with AD and managed to load the existing AD users to IMC DB. but trying to access the network through Dot1x authentication faild again with the exact same error. I think that I can test HP iNode client as my Dot1x Suplicant on client computer. have you ever deploy it instead of Windows built-in Dot1x agant on client computers?

NeilR
Respected Contributor

Re: dot1x authentication

Last thing I can think of,then I'm really out of ideas - check the AAA configuration make sure its set to EAP. Screen shot attached.

 

Otherwise you will need to use wireshark to capture and analyze packets. Install on your imc radius server, set an input capture filter to you imc radius server ip address, then while capturing enter radius into the filter when viewing.

 

Toggle your port connectivity and you should see the whole conversation.

 

My previously posted PDFs will mostly document the whole AD/LDAP configuration. I did not want to use iNode so I have not tested it.

 

But if you have many users the AD/LDAP route is much easier to manage.

 

My gut feel is switch configuration is incorrect or out of synch with imc, but my cisco experience with this is none.

timaz
Advisor

Re: dot1x authentication

Hi NeilR;

 

I did not have any certificate on my IMC server while using PEAP-MSCHAv2, but after adding a Root Certificate Authority and a server certificate, it seems that I managed to get rid of tha "Invalid Authentication Type" error message. after searching the net, I found one of your post again abot configuring Server Parameter (iMC UAM MS AD authentication issue) and configured the iMC in that way. but after this point, when I try to connect any client to the switch port, I don't get any log at the "User Access Log > Authentication Failure Log" !! but after taking some captures with Wireshark, I saw that the switch sends many RADIUS Request messages to IMC and after some time, it gets "Reply Message: No This User" from the IMC and rejects the user. but I integrated the IMC with existing AD and can see the AD users list on the IMC while clicking on the "LDAP USERS". it is interesting that, I have one local user on IMC and even loging in with that user, results the same error!! so I'm thinking about the default port that IMC and AD are talking to each other through it (the port while configuring Server Parameters to make iMC to work with PEAP authentication server). the default port is listed as 9812 and I uses Windows 2012 R2 on both of iMC server and AD DC. I defined a filter on Wireshark to find that port, but it seems this port is not used by these devices to talk. do you have any idea abot this?

NeilR
Respected Contributor

Re: dot1x authentication

If you have a windows Active Directory base for your users, doing it via LDAP makes more sense then trying to add users and passwords. All the PDFS from my posts should give a pretty complete picture on how to do this.

 

Don't think the server certificate should have been required for just UID/Password , but may be something about windows. All my testing had a cert installed, either LDAP user or not.

 

So something easy to overlook may be the user account format setup on the LDAP server. Make sure to include the remove prefix and delimiter \ as that's how the accounts are sent by the clients. see attached screen shot.

 

You should be able to see the account name that the client is sending in Wireshark btw.

 

I'm using all the default ports for everything. However might want to make sure windows firewall is not active on imc, at least until you get everything working. 

timaz
Advisor

Re: dot1x authentication

Hi and thanks again for your replies.

 

there is an interesting situation here about how iMC treats users. I have 2 users exact in the same OU in the same domain, even with the same fields fiiled on their Properties windows. both of them are displayed as LDAP users in the IMC. but login using one of them causes a "Invalid Password" on the "Authentication Failure log" page on IMC, but with another one, there is nothing on the "Authentication Failure log" page, but with "Reply-message: No This User" inside captured files that I've collected on IMC server!!

 

besides, I don't think that IMC doesn't recognise both users, becasue when I enteres non-existant user, it shows another error message: "E63018::The user does not exist or has not subscribed for this service."

 

so if the IMC recognise the users and it shows their names as LDAP user in its list, so what can be the possible problem?

 

I will try to create the LDAP and Sync policy from the ground with the options you have said and see what will happen.

 

edit: now I'm defining Sync policy. but I don't understand some parameters. for example, on the "Add Sync Policy" page, what is the "Password" in the "Access Information" area? I'm attaching the snapshot tho the port. tnx a lot.

NeilR
Respected Contributor

Re: dot1x authentication

Hmm - strange. But may be related to your config question. The password field in the sync policy needs to be filled in - does not matter with what, as its ignored, but empty won't work - maybe means no password if empty?

 

This is covered somewhere in IMC UAM docs, and I thought/hoped I mentioned in my PDF files (if not sorry)

 

Attached is screen shot of synched LDAP user info. Basic info is the fields synched from AD. Account name is from SAMaccountname. Should also show a service name associated.

 

If you had set synch users as needed  I found that works for some but not all of the synch options - I'm using AD group membership to set access policy and for whatever reason did not work, so I need to use the scheduled full synch.

 

If you synch them manually you can see any errors that occur, but it will bring over the full OU that you specify.

Pack3tL0ss
Valued Contributor

Re: dot1x authentication

I haven't fully read the posts in this thread, just skimmed because I'm short on time but a few things:

 

- If you are getting password errors, you might look in "domain controller assisted PEAP" settings (via Quick start link in the bottom box, or under service parameters-->system settings (within the user access policy menu.  This will seem the opposite of intuitive, but if you are getting auth failures for users, you may set the "Domain controller OS version" to windows 2003 or earlier. 

- The password in the sync policy is not relevant, I believe it only comes into play if you unbind the access users from LDAP after sync I believe, but it can be garbage (mine is literally "garbage") as the passwords will be verified with the AD server upon login.

- For users synced with LDAP, the "sync users ad needed" function does not apply.  You would accomplish the same by making the default access service for LDAP synchronized users a service that uses PEAP-MSChapv2 AuthN.  (vs access forbidden).  The unknown user attempting PEAP-MSchapv2 will default to the service specified in the sync policy.  IMC will query AD for the user to authenticate and it will add it if the user is found (regardless of pass/fail).  From the help menu in the sync policy:

To synchronize LDAP users on demand in PEAP/MS-CHAPv2 authentication, make sure the following conditions are met: (1) A default access policy is configured for the service that is assigned to the synchronized LDAP users. (2) The Access Forbidden option is not configured for the default access policy. (3) The EAP-PEAP AuthN and MS-CHAPv2 AuthN options are configured for the default access policy. When an LDAP user initiates an EAP authentication process for the first time, UAM checks whether the user meets the previous conditions. If it is, UAM synchronizes the LDAP user account as a regular access account, regardless of the result of user authentication.

 

- If you get an "invalid authentication type" it probably means the access service associated with the user is dropping it to an access policy for a different AuthN type then what the supplicant is configured for on the client.

 

Hopefully some of that is useful,

 

PL

biswajaya
Occasional Visitor

Re: dot1x authentication

HI ,

i am using  printer machine  with Hp procurve switches, i am getting authentication problem ,

Description

I configure machine with 802.1x authentication, with 100 mbps LAN speed, after my work done i put my machine in deep sleep mode,when i wake up my machine it not authenticate 802.1x,(MD5) after few mins i remove the lan cabel and switch it again it start working.
my question is while it came from wake to normal mode, why it not authenticate ?

note : in deep sleep mode speed is 10 Mbps.

waiting your reply, plz help me on that.

regards,

biswa

NeilR
Respected Contributor

Re: dot1x authentication

Unplugging the cable changes the link state explicitly for both the switch and the printer - but the sleep/wake state change may be different for either the switch or the printer. If the printer wakes up but doesn't resend the credentials, or  the switch doesn't see wake then authentication won't complete. There are timers for the authentication that you can try - I have the same switches/printers and recall the same problem.

I gave up and went to MAC authentication for printers. There are usually less printers then users so managing MAC IDs is easier. Or you can use the aut registration feature where you can use the first 6 of the mac to auto add as users. THis is done under Mute terminal user config.

You will also have to set your ports for mac or mac/802 authentication and add access policies to uam to handle MAC authetnication if you are using it