Switches, Hubs, and Modems
cancel
Showing results for 
Search instead for 
Did you mean: 

802.1x Installation problem with switch hp procurve

SOLVED
Go to solution
manui31804
Advisor

802.1x Installation problem with switch hp procurve

Hello !
I'm currently in formation in a big society.
I've to set up a radius authentication with a 2003 server and switch hp procurve.

Actually, i tried to authenticate a user with only one switch (2824). it was a success. i want now to add a other switch which will be a "supplicant" switch and the first one still the "authenticator" switch. My problem is that i don't know how to configure the supplicant switch.I found lot of informations on internet but also for wireless authentication. I found a command on the switch which is "aaa port-access supplicant ", but i don't really know how to use it. Any idee?

Here are my switchs configurations:

supplicant (30.0.0.2) :

; J9280A Configuration Editor; Created on release #Y.11.12

hostname "swrad2"
snmp-server contact "Cellule Reseau"
time timezone 60
time daylight-time-rule Western-Europe
no web-management
web-management ssl
no telnet-server
ip default-gateway 30.0.0.1
sntp server 10.63.69.113
timesync sntp
sntp unicast
snmp-server community "public" Unrestricted
snmp-server host 10.63.1.82 "public"
vlan 1
name "DEFAULT_VLAN"
untagged 1-48
ip address 30.0.0.2 255.255.255.0
exit
vlan 2
name "auth"
ip address 40.0.0.2 255.255.255.0
tagged 44
exit
vlan 3
name "unauth"
ip address 50.0.0.2 255.255.255.0
tagged 44
exit
aaa authentication port-access eap-radius
radius-server host 30.0.0.1 key 8U3K2jFV
aaa port-access authenticator 1-12
aaa port-access authenticator 1 auth-vid 2
aaa port-access authenticator 1 unauth-vid 3
aaa port-access authenticator 2 auth-vid 2
aaa port-access authenticator 2 unauth-vid 3
aaa port-access authenticator 3 auth-vid 2
aaa port-access authenticator 3 unauth-vid 3
aaa port-access authenticator 4 auth-vid 2
aaa port-access authenticator 4 unauth-vid 3
aaa port-access authenticator 5 auth-vid 2
aaa port-access authenticator 5 unauth-vid 3
aaa port-access authenticator 6 auth-vid 2
aaa port-access authenticator 6 unauth-vid 3
aaa port-access authenticator active
aaa port-access supplicant 44
ip ssh
ip ssh filetransfer
no tftp client
no tftp server
password manager


authenticator (30.0.0.3):

; J4903A Configuration Editor; Created on release #I.10.77

hostname "swrad1"
snmp-server contact "Cellule Reseau"
time timezone 60
time daylight-time-rule Western-Europe
no web-management
web-management ssl
no telnet-server
interface 1
no lacp
exit
interface 2
no lacp
exit
interface 3
no lacp
exit
interface 4
no lacp
exit
interface 5
no lacp
exit
interface 6
no lacp
exit
interface 7
no lacp
exit
interface 8
no lacp
exit
sntp server 10.63.69.113
timesync sntp
sntp unicast
snmp-server community "public" Unrestricted
snmp-server host 10.63.1.82 "public"
vlan 1
name "DEFAULT_VLAN"
untagged 1-24
ip address 30.0.0.3 255.255.255.0
exit
vlan 2
name "auth"
ip address 40.0.0.3 255.255.255.0
ip helper-address 40.0.0.1
tagged 20,24
exit
vlan 3
name "unauth"
ip address 50.0.0.3 255.255.255.0
tagged 20,24
exit
aaa authentication port-access eap-radius
radius-server host 30.0.0.1 key 8U3K2jFV
aaa port-access authenticator 1-8
aaa port-access authenticator 1 auth-vid 2
aaa port-access authenticator 1 unauth-vid 3
aaa port-access authenticator 2 auth-vid 2
aaa port-access authenticator 2 unauth-vid 3
aaa port-access authenticator 3 auth-vid 2
aaa port-access authenticator 3 unauth-vid 3
aaa port-access authenticator 4 auth-vid 2
aaa port-access authenticator 4 unauth-vid 3
aaa port-access authenticator active
aaa port-access supplicant 1
ip ssh
ip ssh filetransfer
no tftp client
no tftp server
password manager


Thanks for your answers and sorry for my english. i hope you'll understand what i mean.
18 REPLIES
Oleg Sukharev
Valued Contributor
Solution

Re: 802.1x Installation problem with switch hp procurve

Hi,

Please take a look at pages 8-42 - 8-46 of ProCurve Series 2510G Switches Access Security Guide (http://cdn.procurve.com/training/Manuals/2510G-Security-Jun2008-59923097.pdf)

I guess you should run on second switch next commands in config mode:

aaa port-access supplicant
aaa port-access supplicant identity
-- enter password twice on prompt

The first command enables supplicant operation on uplink port (44 I guess) going to ProCurve 2824. The second one provides the switch with the credentials to use during 802.1x authentication.

Also check that port on 2824 going to 2510g is in authenticator mode and not in supplicant.

HTH
Oleg
manui31804
Advisor

Re: 802.1x Installation problem with switch hp procurve

thx a lot for your answer.
Actually i had already seen this PDF and this part but i didn't use your second command. if i understand it is used to identify the switch and to give it a name right? it will resolve my problem i think because in the event viewer, the second switch had no FQDN.
I'll try this this afternoon and i come back to you after.
Thx for your help ;)
manui31804
Advisor

Re: 802.1x Installation problem with switch hp procurve

Ok i tried your command, and it's better given that the username of the switch appears correctly, but i still have problem.

it's at EAP level, something is missing because even with the correct name, the switch isn't recognized correctly.

in attachment, you'll find the result found on the event viewer if it cans help you to find the other problem.

Thx for your answer.

manu
Shadow13
Respected Contributor

Re: 802.1x Installation problem with switch hp procurve

I think the switch being a supplicant it will work with MD5 auth as mentioned by the command:

'identity' sets the identity to be used by the port
supplicant when MD5 authentication request is received
from an authenticator.
o 'secret' sets the secret to be used by the port
supplicant when MD5 authentication request is received
from an authenticator. User will be prompted to enter
the secret after the command is invoked.
manui31804
Advisor

Re: 802.1x Installation problem with switch hp procurve

Thx for your answer. is it possible to authenticate the switch with MD5 and keeping EAP-PEAP for users? If Yes, how could i do? something to configure to the server? to the switch?

Because MD5 is just based on authentication (login/pass) and EAP-PEAP add also certification autority if i understand. my company wants me to use certificates for radius authentication so if it's not possible i have to explain precisely why.

I hope you understand what i mean.

Thx a lot for your help ;)

Jeff Carrell
Honored Contributor

Re: 802.1x Installation problem with switch hp procurve

manui31804 asked "...is it possible to authenticate the switch with MD5 and keeping EAP-PEAP for users? If Yes, how could i do? something to configure to the server? to the switch?"

Yes (do this all the time), create a new special policy is RADIUS just for this "switch user", using a special group ID for the user to validate the RADIUS test and do not have this switch userid a member of ANY other groups, and also the only EAP type allowed is MD5.

Example:
switch userid = "switch1" (in AD)
group ID = "switches" (in AD and IAS)
EAP = MD5 (in IAS)

For your computer users, they are not member of this switch group and they must authenticate using EAP-PEAP.

hth...Jeff
manui31804
Advisor

Re: 802.1x Installation problem with switch hp procurve

OH thanks a lot for your answer, i understand now. i'll try this on monday.
I've just an other question, why my authenticator switch was correctly recognized? because it was on a switch group in AD and in IAS but with EAP policy like other users. And it was OK. You can explain me that please?

Thanks again for your answer.

manu
Jeff Carrell
Honored Contributor

Re: 802.1x Installation problem with switch hp procurve

manui31804 asked: "... why my authenticator switch was correctly recognized? because it was on a switch group in AD and in IAS but with EAP policy like other users. And it was OK. You can explain me that please?"

Well, I cannot explain it without seeing the actual RADIUS/IAS policy config.

Just to make sure, order your remote access polices in IAS so that the switch test is above your user tests.

hth...Jeff
manui31804
Advisor

Re: 802.1x Installation problem with switch hp procurve

Ok, this morning, i tried your solution but again problems.

What i did:
- i created a new group called (grpswsupplicant) which contains the switch supplicant called (swrad2).

- i added an ias policy with MD5 configuration for the group grpswsupplicant.

- On this switch, i added the command (radius-server host 30.0.0.1 key testkey) and on AD, i changed the swich password to "testkey".

So i thought username was swrad2 ans pass was testkey but problems still and other error message.

You can find in attachment a capture screen of IAS remot policies order and configuration and also the error message read on the windows logs.

Any idee?

Thx again for your help

Jeff Carrell
Honored Contributor

Re: 802.1x Installation problem with switch hp procurve

manui31804 stated: "... error message read on the windows log"

The answer is in the error message:

Configuring passwords for reversible encrypted format to support EAP-MD5 is required due to the way passwords are handled using EAP-MD5 in Active Directory.

If you configure AD in this manner, this "new" setting will only apply for newly created passwords, so passwords from existing users arenâ t affected until their password gets changed/reset.

Note that this is a dangerous setting security wise, and in almost no production environment should this Password Policy Setting be enabled domain wide. It can also be set per user.

Reversible encryption is needed for the Web authentication and 802.1X CHAP (MD5), but NOT for the 802.1X authentication. In most production environments, only the user accounts that are used for Web authentication (for example guest accounts) should have â Store password using reversible encryptionâ set as well as those specific MD5 only systems (like the switch, sometimes VoIP phones).

This configuration can be used on a per user basis with the â Active Directory Users and Computersâ tool, under the â Accountâ tab of the userâ s properties.

As a note, W2K8 has the capability to have multiple "global" security polices, where you can have one policy support reversible password encryption and others that do not allow it...this is one of the major features that W2K0/3 do not offer.

hth...Jeff
manui31804
Advisor

Re: 802.1x Installation problem with switch hp procurve

OK, i tried this solution.

I added a new OU which contains the switch supplicant. I added a GPO on this OU where i allowed reversibly encryption password. So i suppose it will only be applied on the switch supplicant. To be sure, i disabled this user, reseted his password and activated. I restarted the Switch then and the server but always same problem and same error message than my last post.

in attachment, a screen of what i did.

Thx for your explanations, i understood a lot of things.

My company uses windows 2003 servers so i have to test my solution on this kind of server and not on 2008. but it could be nice to try it after because it looks interesting.

Any idee or tests that i could do?

Thx

manu
manui31804
Advisor

Re: 802.1x Installation problem with switch hp procurve

Yes it works !!
I tried to apply reversibly encrypted password directly on the swrad2 user and not as a gpo like i did before, and it worked.

Thx Oleg, Shadow and Jeff for you answers, i learned a lot thanks to you.

I have one more question(and last i hope):

When a user is connected on the supplicant switch, he doesn't need certificate, but if he's connected on the authenticator switch, the certificate is required.
I suppose it's due to the MD5 policy applied on the supplicant switch.
Is it possible to force user to use certificate when he's connected on a supplicant switch?

Thx for your answer, thx for all !
Jeff Carrell
Honored Contributor

Re: 802.1x Installation problem with switch hp procurve

glad it's working!!! happy to assist :-)

getting 802.1X to work is not "hard", but there are many components to make work together making it hard sometimes.

manui31804 asked: "Is it possible to force user to use certificate when he's connected on a supplicant switch?"

Yes, you should be able to configure the 2nd switch (supplicant configured switch) just like the 1st switch...define the 2nd switch as a RADIUS client, configure switch#2 with RADIUS and 802.1X support for the user ports, etc...

If the 2nd switch does not support 802.1X, then on the port on switch#1 that switch#2 connects to, define how many mac addresses you want it to allow (1-32) for 802.1X authentication and then when a new supplicant sends it's EAP traffic, switch#1 will simply forward that request through - but, when doing this, after the first user (switch#2 in this case) gets authenticated, then all subsequent users must assigned into the same VLAN as the switch#2 user is - you cannot have multiple authenticated users in different untagged VLANs on the same port - this is the value of the first option - each user gets separately authenticated and can be assigned their own VLAN id from RADIUS.

hth...Jeff


ps, I did a presentation 2 weeks ago at Sharkfest'10 on troubleshooting 802.1X titled: Network Access Security - It's Broken, Now What? the presentation is posted at:

http://www.cacetech.com/sharkfest.10/

in addition, many of the presentations done were video'd (including mine :-) see them at:

http://www.lovemytool.com/blog/2010/06/
manui31804
Advisor

Re: 802.1x Installation problem with switch hp procurve

thx for your solutions, i'll try it and if problems, i'll come back to you.

Thx also for your presentation i will read this part in the week because 802.1X is really intersting.

regards

manu
manui31804
Advisor

Re: 802.1x Installation problem with switch hp procurve

hi again !

we worked a lot on a other project so i just tried your solution yesterday.

My supplicant is correctly authenticated and my user just after so it's ok. But one more thing i forgot to ask:

Is it possible to authenticate the authenticator switch using MD5 like the supplicant ? cause i tried to do same configuration ( with reversible password ...) but not working for the authenticator so i just let it on a basic port (not radius port) to find if possible an other solution.

i was a little tired yesterday so maybe i did wrong but i would like to be sure.

Thx a lot for your answer.

PS: I saw your pdf presentation Jeff and i learned many more things. thx a lot ;)

manu
Jeff Carrell
Honored Contributor

Re: 802.1x Installation problem with switch hp procurve

manu said: "Is it possible to authenticate the authenticator switch using MD5 like the supplicant ? cause i tried to do same configuration ( with reversible password ...) but not working for the authenticator so i just let it on a basic port (not radius port) to find if possible an other solution.

i was a little tired yesterday so maybe i did wrong but i would like to be sure."

Yes, you must configure a uid/pw on the 2nd switch to it can pass that info up to the 1st switch port when the 1st switch send its radius-request message the port comes up.

Hope that makes sense.

Glad the info I provided was of value to you :-)

hth...Jeff
manui31804
Advisor

Re: 802.1x Installation problem with switch hp procurve

sorry i forgot to answer.

Thx for all. all is working now thx to you ;).

Do you think 802.1x with wired network it's better to use 2008 server?

Because you told me there was the possibility to have multiple security policies. is there others advantages using 2008 server than 2003?

Jeff Carrell
Honored Contributor

Re: 802.1x Installation problem with switch hp procurve

manui31804 wrote: "Do you think 802.1x with wired network it's better to use 2008 server?

Because you told me there was the possibility to have multiple security policies. is there others advantages using 2008 server than 2003?"

W2K8-NPS has 2 resources to configure access control policies where W2K3-IAS only had one.

Now you get "connection policies" and "network policies" which provides more granular control of overall access policies - you can tune more directly where/how folks or devices authenticate on the network.

So that and more granular security policies makes W2K8 "way better" in my opinion.

glad I was able to help...Jeff