Switches, Hubs, and Modems
cancel
Showing results for 
Search instead for 
Did you mean: 

2610 802.1x

leo11
Occasional Visitor

2610 802.1x

two questions
1. How to log client-ip address?
"sh port-access authenticator clients" does not show client IP address and radius accounting shows Client-IP-Address = 192.168.0.201 where 201 IP is switch IP address, not client.

5 userdemo 001377-f8ce30 n/a Authenticated
I can also notice, that client after authentication can change their dynamic address to another static address, and I will not be able to see this.
2. second question
I have enabled multiple clients on port. It works fine only with dumb switch (who does not have own mac address). If switch has mac address, even in (default-reset) mode, users can't authenticate through such switch. (I have tried for example linksys (all cables in LAN ports) and with unconfigured HP 2610 . Is there any solution?

4 REPLIES
Michael_Breuer
Esteemed Contributor

Re: 2610 802.1x

1) Enable DHCP snooping (if available on the 2610), then the switch will show the IP address of the clients.
2) If you set to user based authentication it should work. Try to increase MAC address limit. Can you post your 802.1x configuration?

Cheers,

Michael
Ingentive Networks GmbH
leo11
Occasional Visitor

Re: 2610 802.1x

For first question more precise question could be "how to Prevent Static Ip Usage".
I had dhcp-snooping enabled - no IP

For second question
My current config
vlan 7
tagged 49-52
exit
radius-server host x.x.x.x
aaa authentication port-access eap-radius
aaa accounting network start-stop radius
filter source-port "1" drop 1-48
dhcp-snooping
dhcp-snooping authorized-server x.x.x.x
interface 49
dhcp-snooping trust
exit
interface 50
dhcp-snooping trust
exit
interface 51
dhcp-snooping trust
exit
interface 52
dhcp-snooping trust
exit
aaa port-access authenticator 1
aaa port-access authenticator 1 reauth-period 180
aaa port-access authenticator 1 auth-vid 7
aaa port-access authenticator 1 client-limit 4
aaa port-access authenticator active

sh port-access authenticator
1 0/0 3 0 No No No
sh port-access authenticator clients
Port Client Name MAC Address IP Address Client Status
---- --------------------- ------------- --------------- --------------------
1 001377-f8ce30 n/a Connecting
1 c09134-9d2480 n/a Connecting
1 c09134-9d24ff n/a Connecting
where the last two are switch (unconfigured-reseted) mac addreses.
Win XP ask for credentials, but radius does not log any access.
leo11
Occasional Visitor

Re: 2610 802.1x

Hello
As I understand from your answer the command is as follows: command# sh dhcp-snooping binding, but It is not what I want.
I want to do radius accounting so that I could account which client uses which ip address. It seams, that procurve does not write correct Client-IP-Address in radius accounting log. ANd 802.1x process does not know about client IP. Even more. client can change his IP address, so my question would be as follows: how to prevent static address usage in 802.1x case.
the second question also is still active.
leo11
Occasional Visitor

Re: 2610 802.1x

On the first question I solved second half.
It is possible to do with dhcp-snooping arp-protect commands.
Still problems with accounting on radius and multiple clients through intelligent switch (with own mac address).