Switches, Hubs, and Modems
cancel
Showing results for 
Search instead for 
Did you mean: 

801.1x authentication on a core / edge topoligy?

801.1x authentication on a core / edge topoligy?

Hi,

I need to deploy 802.1x on my company's network, i tried on a test lab (Windows Server 2008 R2 with NAP and a 5406zl switch) and i got it working fine.

The setup i want, is so, all ports needs to be authenticated to get on the company network, and if they are not authenticated, they are moved to the guest VLAN, i got the Windows config down, but im having some trouble with the Procurve switches.

I have a 5406zl as a edge switch, and one as a core switch.

So far im only testing on one port, and i tried this config on the edge switch:

radius-server host x.x.x.x key secret
aaa authentication port-access eap-radius authorized
aaa port-access authenticator A20
aaa port-access authenticator active

and i verified that the setup on the Windows server was correct.

I am thinking i might need some config on the core switch, to get this to work, and i was hopeing someone in here had some experiense i could sponge of off ;)

Thank you in advance!
My english might not be so good, so just attached a picture, to make sure you know what my setup is :)

4 REPLIES
Jeff Carrell
Honored Contributor

Re: 801.1x authentication on a core / edge topoligy?

You may want to add this command to specifically make sure the unauth devices go to a specific vlan id:

aaa port-access authenticator A20 unauth-vid 99

--

You don't need any core config for 802.1X support, except to make sure:

1) the vlans the users are assigned by radius policies are available on the edge switches and of course have access to their default gateways (where ever that may be) after they are auth. [if radius returns auth to the switch with vlan assignment, and the switch does not have the vlan configured on it, the switch will fail the auth]

2) the edge switch has access to the radius server

--

If you do not choose to assign vlans via radius, then you could use this command if all auth devices goto the same vlan on the edge switch:

aaa port-access authenticator A20 auth-vid 220

--

hth...Jeff

Re: 801.1x authentication on a core / edge topoligy?

Hi Jeff!

Thanks for your answer, and the command for un-auth VLAN you gave me is working like a charm!

But when i do my show radius authentication command the switch dosent send anything to the radius server. - But, every time a new client is attached to the network, the switch should ask the radius server, right?

But thank you very much for your answer so far! Ive been on this for 4 hours now ;)

Re: 801.1x authentication on a core / edge topoligy?

Never mind, its working now!

Thank you so much! :)

Re: 801.1x authentication on a core / edge topoligy?

Thanks to Jeff ;)