Switches, Hubs, and Modems
1748128 Members
3503 Online
108758 Solutions
New Discussion юеВ

Re: 802.1x Installation problem with switch hp procurve

 
SOLVED
Go to solution
manui31804
Advisor

802.1x Installation problem with switch hp procurve

Hello !
I'm currently in formation in a big society.
I've to set up a radius authentication with a 2003 server and switch hp procurve.

Actually, i tried to authenticate a user with only one switch (2824). it was a success. i want now to add a other switch which will be a "supplicant" switch and the first one still the "authenticator" switch. My problem is that i don't know how to configure the supplicant switch.I found lot of informations on internet but also for wireless authentication. I found a command on the switch which is "aaa port-access supplicant ", but i don't really know how to use it. Any idee?

Here are my switchs configurations:

supplicant (30.0.0.2) :

; J9280A Configuration Editor; Created on release #Y.11.12

hostname "swrad2"
snmp-server contact "Cellule Reseau"
time timezone 60
time daylight-time-rule Western-Europe
no web-management
web-management ssl
no telnet-server
ip default-gateway 30.0.0.1
sntp server 10.63.69.113
timesync sntp
sntp unicast
snmp-server community "public" Unrestricted
snmp-server host 10.63.1.82 "public"
vlan 1
name "DEFAULT_VLAN"
untagged 1-48
ip address 30.0.0.2 255.255.255.0
exit
vlan 2
name "auth"
ip address 40.0.0.2 255.255.255.0
tagged 44
exit
vlan 3
name "unauth"
ip address 50.0.0.2 255.255.255.0
tagged 44
exit
aaa authentication port-access eap-radius
radius-server host 30.0.0.1 key 8U3K2jFV
aaa port-access authenticator 1-12
aaa port-access authenticator 1 auth-vid 2
aaa port-access authenticator 1 unauth-vid 3
aaa port-access authenticator 2 auth-vid 2
aaa port-access authenticator 2 unauth-vid 3
aaa port-access authenticator 3 auth-vid 2
aaa port-access authenticator 3 unauth-vid 3
aaa port-access authenticator 4 auth-vid 2
aaa port-access authenticator 4 unauth-vid 3
aaa port-access authenticator 5 auth-vid 2
aaa port-access authenticator 5 unauth-vid 3
aaa port-access authenticator 6 auth-vid 2
aaa port-access authenticator 6 unauth-vid 3
aaa port-access authenticator active
aaa port-access supplicant 44
ip ssh
ip ssh filetransfer
no tftp client
no tftp server
password manager


authenticator (30.0.0.3):

; J4903A Configuration Editor; Created on release #I.10.77

hostname "swrad1"
snmp-server contact "Cellule Reseau"
time timezone 60
time daylight-time-rule Western-Europe
no web-management
web-management ssl
no telnet-server
interface 1
no lacp
exit
interface 2
no lacp
exit
interface 3
no lacp
exit
interface 4
no lacp
exit
interface 5
no lacp
exit
interface 6
no lacp
exit
interface 7
no lacp
exit
interface 8
no lacp
exit
sntp server 10.63.69.113
timesync sntp
sntp unicast
snmp-server community "public" Unrestricted
snmp-server host 10.63.1.82 "public"
vlan 1
name "DEFAULT_VLAN"
untagged 1-24
ip address 30.0.0.3 255.255.255.0
exit
vlan 2
name "auth"
ip address 40.0.0.3 255.255.255.0
ip helper-address 40.0.0.1
tagged 20,24
exit
vlan 3
name "unauth"
ip address 50.0.0.3 255.255.255.0
tagged 20,24
exit
aaa authentication port-access eap-radius
radius-server host 30.0.0.1 key 8U3K2jFV
aaa port-access authenticator 1-8
aaa port-access authenticator 1 auth-vid 2
aaa port-access authenticator 1 unauth-vid 3
aaa port-access authenticator 2 auth-vid 2
aaa port-access authenticator 2 unauth-vid 3
aaa port-access authenticator 3 auth-vid 2
aaa port-access authenticator 3 unauth-vid 3
aaa port-access authenticator 4 auth-vid 2
aaa port-access authenticator 4 unauth-vid 3
aaa port-access authenticator active
aaa port-access supplicant 1
ip ssh
ip ssh filetransfer
no tftp client
no tftp server
password manager


Thanks for your answers and sorry for my english. i hope you'll understand what i mean.
18 REPLIES 18
Oleg Sukharev
Valued Contributor
Solution

Re: 802.1x Installation problem with switch hp procurve

Hi,

Please take a look at pages 8-42 - 8-46 of ProCurve Series 2510G Switches Access Security Guide (http://cdn.procurve.com/training/Manuals/2510G-Security-Jun2008-59923097.pdf)

I guess you should run on second switch next commands in config mode:

aaa port-access supplicant
aaa port-access supplicant identity
-- enter password twice on prompt

The first command enables supplicant operation on uplink port (44 I guess) going to ProCurve 2824. The second one provides the switch with the credentials to use during 802.1x authentication.

Also check that port on 2824 going to 2510g is in authenticator mode and not in supplicant.

HTH
Oleg
manui31804
Advisor

Re: 802.1x Installation problem with switch hp procurve

thx a lot for your answer.
Actually i had already seen this PDF and this part but i didn't use your second command. if i understand it is used to identify the switch and to give it a name right? it will resolve my problem i think because in the event viewer, the second switch had no FQDN.
I'll try this this afternoon and i come back to you after.
Thx for your help ;)
manui31804
Advisor

Re: 802.1x Installation problem with switch hp procurve

Ok i tried your command, and it's better given that the username of the switch appears correctly, but i still have problem.

it's at EAP level, something is missing because even with the correct name, the switch isn't recognized correctly.

in attachment, you'll find the result found on the event viewer if it cans help you to find the other problem.

Thx for your answer.

manu
Shadow13
Respected Contributor

Re: 802.1x Installation problem with switch hp procurve

I think the switch being a supplicant it will work with MD5 auth as mentioned by the command:

'identity' sets the identity to be used by the port
supplicant when MD5 authentication request is received
from an authenticator.
o 'secret' sets the secret to be used by the port
supplicant when MD5 authentication request is received
from an authenticator. User will be prompted to enter
the secret after the command is invoked.
manui31804
Advisor

Re: 802.1x Installation problem with switch hp procurve

Thx for your answer. is it possible to authenticate the switch with MD5 and keeping EAP-PEAP for users? If Yes, how could i do? something to configure to the server? to the switch?

Because MD5 is just based on authentication (login/pass) and EAP-PEAP add also certification autority if i understand. my company wants me to use certificates for radius authentication so if it's not possible i have to explain precisely why.

I hope you understand what i mean.

Thx a lot for your help ;)

Jeff Carrell
Honored Contributor

Re: 802.1x Installation problem with switch hp procurve

manui31804 asked "...is it possible to authenticate the switch with MD5 and keeping EAP-PEAP for users? If Yes, how could i do? something to configure to the server? to the switch?"

Yes (do this all the time), create a new special policy is RADIUS just for this "switch user", using a special group ID for the user to validate the RADIUS test and do not have this switch userid a member of ANY other groups, and also the only EAP type allowed is MD5.

Example:
switch userid = "switch1" (in AD)
group ID = "switches" (in AD and IAS)
EAP = MD5 (in IAS)

For your computer users, they are not member of this switch group and they must authenticate using EAP-PEAP.

hth...Jeff
manui31804
Advisor

Re: 802.1x Installation problem with switch hp procurve

OH thanks a lot for your answer, i understand now. i'll try this on monday.
I've just an other question, why my authenticator switch was correctly recognized? because it was on a switch group in AD and in IAS but with EAP policy like other users. And it was OK. You can explain me that please?

Thanks again for your answer.

manu
Jeff Carrell
Honored Contributor

Re: 802.1x Installation problem with switch hp procurve

manui31804 asked: "... why my authenticator switch was correctly recognized? because it was on a switch group in AD and in IAS but with EAP policy like other users. And it was OK. You can explain me that please?"

Well, I cannot explain it without seeing the actual RADIUS/IAS policy config.

Just to make sure, order your remote access polices in IAS so that the switch test is above your user tests.

hth...Jeff
manui31804
Advisor

Re: 802.1x Installation problem with switch hp procurve

Ok, this morning, i tried your solution but again problems.

What i did:
- i created a new group called (grpswsupplicant) which contains the switch supplicant called (swrad2).

- i added an ias policy with MD5 configuration for the group grpswsupplicant.

- On this switch, i added the command (radius-server host 30.0.0.1 key testkey) and on AD, i changed the swich password to "testkey".

So i thought username was swrad2 ans pass was testkey but problems still and other error message.

You can find in attachment a capture screen of IAS remot policies order and configuration and also the error message read on the windows logs.

Any idee?

Thx again for your help