Switches, Hubs, and Modems
cancel
Showing results for 
Search instead for 
Did you mean: 

802.1x and port-access mac-based config CHAP v2 question

SOLVED
Go to solution
jmglass
Occasional Advisor

802.1x and port-access mac-based config CHAP v2 question


Greetings and thanks for any/all feedback!

Need to support non 802.1x clients such as games systems. Using port-access with MAC authentication on ProCurve switches and I am logging on my Radius server for these non 802.1x clients:

Handshake Authentication Protocol (CHAP).
A reversibly encrypted password does not exist for this user account.
To ensure that reversibly encrypted passwords are enabled,
check either the domain password policy or the password settings on the user account.

Any support for CHAP v2 when the mac-based is used on the following switches?
HP2848, J4904A revision I.10.82
HP2810, J49022A revision N.11.25
HP2910al, J9147A revision W.14.49

Do not want to change active directory to enable storage of a reversibly encrypted form of the password just for support of gaming systems.

Clients using 802.1x get on OK. If client not currently 802.1x capable but able to support, client pushed to registration VLAN 2999 were they will be able to download and configure 802.1x configuration.

~Snip of current config, a MAC authentication client fails on the CHAP login.


; J9022A Configuration Editor; Created on release #N.11.25
hostname "bf1test01"
snmp-server contact "Resnet"
snmp-server location "BF1 "
mac-age-time 7200
time timezone -300
time daylight-time-rule Continental-US-and-Canada
no cdp run
console inactivity-timer 30
ip default-gateway X.X.X.X
sntp server
timesync sntp
sntp unicast
snmp-server host X.X.X.X
vlan 1
name "DEFAULT_VLAN"
untagged 48
ip address X.X.X.X Y.Y.Y.Y
no untagged 1-47
exit
vlan 232
name "BF1_VLAN"
untagged 1-47
no ip address
tagged 48
ip igmp
exit
vlan 2999
name "Quar_VLAN"
no ip address
tagged 48
exit
no lldp run
aaa authentication port-access eap-radius
radius-server host X.X.X.X
aaa port-access authenticator 1-12
aaa port-access authenticator 1 auth-vid 232
aaa port-access authenticator 1 client-limit 1
aaa port-access authenticator 2 auth-vid 232
aaa port-access authenticator 2 client-limit 1
aaa port-access authenticator 3 auth-vid 232
aaa port-access authenticator 3 client-limit 1
aaa port-access authenticator 4 auth-vid 232
aaa port-access authenticator 4 client-limit 1
aaa port-access authenticator 5 auth-vid 232
aaa port-access authenticator 5 client-limit 1
aaa port-access authenticator 6 auth-vid 232
aaa port-access authenticator 6 client-limit 1
aaa port-access authenticator 7 auth-vid 232
aaa port-access authenticator 7 client-limit 1
aaa port-access authenticator 8 auth-vid 232
aaa port-access authenticator 8 client-limit 1
aaa port-access authenticator 9 auth-vid 232
aaa port-access authenticator 9 client-limit 1
aaa port-access authenticator 10 auth-vid 232
aaa port-access authenticator 10 client-limit 1
aaa port-access authenticator 11 auth-vid 232
aaa port-access authenticator 11 client-limit 1
aaa port-access authenticator 12 auth-vid 232
aaa port-access authenticator 12 client-limit 1
aaa port-access authenticator active
aaa port-access mac-based 1-12
aaa port-access mac-based 1 unauth-vid 2999
aaa port-access mac-based 2 unauth-vid 2999
aaa port-access mac-based 3 unauth-vid 2999
aaa port-access mac-based 4 unauth-vid 2999
aaa port-access mac-based 5 unauth-vid 2999
aaa port-access mac-based 6 unauth-vid 2999
aaa port-access mac-based 7 unauth-vid 2999
aaa port-access mac-based 8 unauth-vid 2999
aaa port-access mac-based 9 unauth-vid 2999
aaa port-access mac-based 10 unauth-vid 2999
aaa port-access mac-based 11 unauth-vid 2999
aaa port-access mac-based 12 unauth-vid 2999
password manager
password operator


thanks!
jim
2 REPLIES
Jens Egger
Occasional Advisor
Solution

Re: 802.1x and port-access mac-based config CHAP v2 question

Hi Jim,

as fair as I know MS-Chap V2 is only supported on ProVision Devices like 3500/5400/8200. You may build a new trusted tree in the AD-Forrest with its own Group Policy and Radius-Server as a workaround and put the MACs in there.

Cheers


Jens
jmglass
Occasional Advisor

Re: 802.1x and port-access mac-based config CHAP v2 question

Thanks Jens!

jim