- Community Home
- >
- Networking
- >
- Legacy
- >
- Switches, Hubs, Modems
- >
- 802.1x Installation problem with switch hp procurv...
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-24-2010 04:23 AM
тАО06-24-2010 04:23 AM
I'm currently in formation in a big society.
I've to set up a radius authentication with a 2003 server and switch hp procurve.
Actually, i tried to authenticate a user with only one switch (2824). it was a success. i want now to add a other switch which will be a "supplicant" switch and the first one still the "authenticator" switch. My problem is that i don't know how to configure the supplicant switch.I found lot of informations on internet but also for wireless authentication. I found a command on the switch which is "aaa port-access supplicant
Here are my switchs configurations:
supplicant (30.0.0.2) :
; J9280A Configuration Editor; Created on release #Y.11.12
hostname "swrad2"
snmp-server contact "Cellule Reseau"
time timezone 60
time daylight-time-rule Western-Europe
no web-management
web-management ssl
no telnet-server
ip default-gateway 30.0.0.1
sntp server 10.63.69.113
timesync sntp
sntp unicast
snmp-server community "public" Unrestricted
snmp-server host 10.63.1.82 "public"
vlan 1
name "DEFAULT_VLAN"
untagged 1-48
ip address 30.0.0.2 255.255.255.0
exit
vlan 2
name "auth"
ip address 40.0.0.2 255.255.255.0
tagged 44
exit
vlan 3
name "unauth"
ip address 50.0.0.2 255.255.255.0
tagged 44
exit
aaa authentication port-access eap-radius
radius-server host 30.0.0.1 key 8U3K2jFV
aaa port-access authenticator 1-12
aaa port-access authenticator 1 auth-vid 2
aaa port-access authenticator 1 unauth-vid 3
aaa port-access authenticator 2 auth-vid 2
aaa port-access authenticator 2 unauth-vid 3
aaa port-access authenticator 3 auth-vid 2
aaa port-access authenticator 3 unauth-vid 3
aaa port-access authenticator 4 auth-vid 2
aaa port-access authenticator 4 unauth-vid 3
aaa port-access authenticator 5 auth-vid 2
aaa port-access authenticator 5 unauth-vid 3
aaa port-access authenticator 6 auth-vid 2
aaa port-access authenticator 6 unauth-vid 3
aaa port-access authenticator active
aaa port-access supplicant 44
ip ssh
ip ssh filetransfer
no tftp client
no tftp server
password manager
authenticator (30.0.0.3):
; J4903A Configuration Editor; Created on release #I.10.77
hostname "swrad1"
snmp-server contact "Cellule Reseau"
time timezone 60
time daylight-time-rule Western-Europe
no web-management
web-management ssl
no telnet-server
interface 1
no lacp
exit
interface 2
no lacp
exit
interface 3
no lacp
exit
interface 4
no lacp
exit
interface 5
no lacp
exit
interface 6
no lacp
exit
interface 7
no lacp
exit
interface 8
no lacp
exit
sntp server 10.63.69.113
timesync sntp
sntp unicast
snmp-server community "public" Unrestricted
snmp-server host 10.63.1.82 "public"
vlan 1
name "DEFAULT_VLAN"
untagged 1-24
ip address 30.0.0.3 255.255.255.0
exit
vlan 2
name "auth"
ip address 40.0.0.3 255.255.255.0
ip helper-address 40.0.0.1
tagged 20,24
exit
vlan 3
name "unauth"
ip address 50.0.0.3 255.255.255.0
tagged 20,24
exit
aaa authentication port-access eap-radius
radius-server host 30.0.0.1 key 8U3K2jFV
aaa port-access authenticator 1-8
aaa port-access authenticator 1 auth-vid 2
aaa port-access authenticator 1 unauth-vid 3
aaa port-access authenticator 2 auth-vid 2
aaa port-access authenticator 2 unauth-vid 3
aaa port-access authenticator 3 auth-vid 2
aaa port-access authenticator 3 unauth-vid 3
aaa port-access authenticator 4 auth-vid 2
aaa port-access authenticator 4 unauth-vid 3
aaa port-access authenticator active
aaa port-access supplicant 1
ip ssh
ip ssh filetransfer
no tftp client
no tftp server
password manager
Thanks for your answers and sorry for my english. i hope you'll understand what i mean.
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-24-2010 11:28 AM
тАО06-24-2010 11:28 AM
SolutionPlease take a look at pages 8-42 - 8-46 of ProCurve Series 2510G Switches Access Security Guide (http://cdn.procurve.com/training/Manuals/2510G-Security-Jun2008-59923097.pdf)
I guess you should run on second switch next commands in config mode:
aaa port-access supplicant
aaa port-access supplicant identity
-- enter password twice on prompt
The first command enables supplicant operation on uplink port (44 I guess) going to ProCurve 2824. The second one provides the switch with the credentials to use during 802.1x authentication.
Also check that port on 2824 going to 2510g is in authenticator mode and not in supplicant.
HTH
Oleg
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-25-2010 02:10 AM
тАО06-25-2010 02:10 AM
Re: 802.1x Installation problem with switch hp procurve
Actually i had already seen this PDF and this part but i didn't use your second command. if i understand it is used to identify the switch and to give it a name right? it will resolve my problem i think because in the event viewer, the second switch had no FQDN.
I'll try this this afternoon and i come back to you after.
Thx for your help ;)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-25-2010 06:31 AM
тАО06-25-2010 06:31 AM
Re: 802.1x Installation problem with switch hp procurve
it's at EAP level, something is missing because even with the correct name, the switch isn't recognized correctly.
in attachment, you'll find the result found on the event viewer if it cans help you to find the other problem.
Thx for your answer.
manu
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-26-2010 06:34 AM
тАО06-26-2010 06:34 AM
Re: 802.1x Installation problem with switch hp procurve
'identity' sets the identity to be used by the port
supplicant when MD5 authentication request is received
from an authenticator.
o 'secret' sets the secret to be used by the port
supplicant when MD5 authentication request is received
from an authenticator. User will be prompted to enter
the secret after the command is invoked.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-26-2010 08:30 AM
тАО06-26-2010 08:30 AM
Re: 802.1x Installation problem with switch hp procurve
Because MD5 is just based on authentication (login/pass) and EAP-PEAP add also certification autority if i understand. my company wants me to use certificates for radius authentication so if it's not possible i have to explain precisely why.
I hope you understand what i mean.
Thx a lot for your help ;)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-26-2010 12:04 PM
тАО06-26-2010 12:04 PM
Re: 802.1x Installation problem with switch hp procurve
Yes (do this all the time), create a new special policy is RADIUS just for this "switch user", using a special group ID for the user to validate the RADIUS test and do not have this switch userid a member of ANY other groups, and also the only EAP type allowed is MD5.
Example:
switch userid = "switch1" (in AD)
group ID = "switches" (in AD and IAS)
EAP = MD5 (in IAS)
For your computer users, they are not member of this switch group and they must authenticate using EAP-PEAP.
hth...Jeff
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-26-2010 06:27 PM
тАО06-26-2010 06:27 PM
Re: 802.1x Installation problem with switch hp procurve
I've just an other question, why my authenticator switch was correctly recognized? because it was on a switch group in AD and in IAS but with EAP policy like other users. And it was OK. You can explain me that please?
Thanks again for your answer.
manu
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-27-2010 06:50 AM
тАО06-27-2010 06:50 AM
Re: 802.1x Installation problem with switch hp procurve
Well, I cannot explain it without seeing the actual RADIUS/IAS policy config.
Just to make sure, order your remote access polices in IAS so that the switch test is above your user tests.
hth...Jeff
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-28-2010 01:09 AM
тАО06-28-2010 01:09 AM
Re: 802.1x Installation problem with switch hp procurve
What i did:
- i created a new group called (grpswsupplicant) which contains the switch supplicant called (swrad2).
- i added an ias policy with MD5 configuration for the group grpswsupplicant.
- On this switch, i added the command (radius-server host 30.0.0.1 key testkey) and on AD, i changed the swich password to "testkey".
So i thought username was swrad2 ans pass was testkey but problems still and other error message.
You can find in attachment a capture screen of IAS remot policies order and configuration and also the error message read on the windows logs.
Any idee?
Thx again for your help