HPE Community
Switches, Hubs, and Modems
1753447 Members
4945 Online
108794 Solutions
New Discussion юеВ

Re: 802.1x authentication on PROCURVE 2510G-24

 
SOLVED
Go to solution
Stefano Cavazzini
Occasional Advisor

тАО01-11-2011 03:11 AM

тАО01-11-2011 03:11 AM

802.1x authentication on PROCURVE 2510G-24

Hello everybody, i'm trying some solutions for hardening my ethernet LAN.
I've installed FREERADIUS 2.1.10 on FEDORA 11 and a client win xp sp3 (with eapp authentication enabled) linked to the server through HP PROCURVE 2510G-24 SWITCH - all configured.
The authentication is made by LDAP located on other SAMBA SERVER.

When i connect to the lan (user, password and domain) the switch contact radius server but in the "rad_recv" information i see that the switch pass a "cutted" USER-NAME.

For example i log-in in windows with user="stefano" + password="test" + domain="mydomain" and i see in rad_recv that "user-name" is developed with "mydomain\st" (stefano is truncated).

I made some test and i saw that EVERY TIME "user-name" sent to RADIUS SERVER is truncated (domain\user) on 16th character
(in other words "user-name" in structure "rad_recv" is always 16 chr.), i've tried also with othen domain available in my company but the problem remain the same.

Could it be a problem of wrong switch configuration?? Or is a problem of the client (win XP SP3 - ACTIVATED IEEE 802.1X with PROTECTED EAP)?
I hope someone could help me.

Thanks in advance...Stefano.
0 Kudos
11 REPLIES 11
cenk sasmaztin
Honored Contributor

тАО01-16-2011 01:13 PM

тАО01-16-2011 01:13 PM

Re: 802.1x authentication on PROCURVE 2510G-24

please send me your switch config

sh run print
cenk

0 Kudos
Stefano Cavazzini
Occasional Advisor

тАО01-17-2011 12:45 AM

тАО01-17-2011 12:45 AM

Re: 802.1x authentication on PROCURVE 2510G-24

ProCurve Switch 2510G-24# sh run

Running configuration:

; J9279A Configuration Editor; Created on release #Y.11.12

hostname "ProCurve Switch 2510G-24"
mirror-port 1
snmp-server community "public" Unrestricted
vlan 1
name "DEFAULT_VLAN"
untagged 1-24
ip address dhcp-bootp
exit
aaa authentication port-access eap-radius
radius-server host 10.35.33.228 key test
aaa port-access authenticator 1
aaa port-access authenticator active

#####################################
i've configured port no. 1 of switch for working as port-access authentication (802.1x).




0 Kudos
cenk sasmaztin
Honored Contributor

тАО01-17-2011 01:13 AM

тАО01-17-2011 01:13 AM

Re: 802.1x authentication on PROCURVE 2510G-24

your config is false

fristly switch vlan 1 ip address must have statically your switch vlan 1 ip assign dhcp server

and can't see

aaa accounting network start-stop radius

command on switch

example config

aaa authentication port-access eap-radius
aaa accounting network start-stop radius
radius-server host 100.100.100.80 key procurve
aaa port-access authenticator A1-A24

cenk

0 Kudos
Stefano Cavazzini
Occasional Advisor

тАО01-17-2011 05:55 AM

тАО01-17-2011 05:55 AM

Re: 802.1x authentication on PROCURVE 2510G-24

I made the change as you suggested.

####################################

Running configuration:

; J9279A Configuration Editor; Created on release #Y.11.12

hostname "ProCurve Switch 2510G-24"
mirror-port 1
snmp-server community "public" Unrestricted
vlan 1
name "DEFAULT_VLAN"
untagged 1-24
ip address 10.35.33.164 255.255.255.0
exit
aaa authentication port-access eap-radius
aaa accounting network start-stop radius
radius-server host 10.35.33.228 key test
aaa port-access authenticator 1
aaa port-access authenticator active

####################################

This is the frame received by RADIUS from the SWITCH:

####################################

rad_recv: Access-Request packet from host 10.35.33.164 port 1024, id=42, length=245
Framed-MTU = 1480
NAS-IP-Address = 10.35.33.164
NAS-Identifier = "ProCurve Switch 2510G-24"
User-Name = "CASTELGOFFREDO\\C"
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 1
NAS-Port-Type = Ethernet
NAS-Port-Id = "1"
Called-Station-Id = "00-26-f1-bc-78-c0"
Calling-Station-Id = "00-0f-fe-80-4e-94"
Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex"
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "1"
EAP-Message = 0x0208001e0143415354454c474f46465245444f5c434156415a5a30383036
Message-Authenticator = 0x957819fc68420fdba0a678a985a31daa

#########################################

as you can see all seems ok, but the

User-Name = "CASTELGOFFREDO\\C" is truncated, it had to be "CASTELGOFFREDO\\CAVAZZ0806"

Thanks a lot. Stefano.

0 Kudos
cenk sasmaztin
Honored Contributor

тАО01-25-2011 05:19 AM

тАО01-25-2011 05:19 AM

Re: 802.1x authentication on PROCURVE 2510G-24

which software version have to switch
cenk

0 Kudos
Stefano Cavazzini
Occasional Advisor

тАО01-25-2011 05:59 AM

тАО01-25-2011 05:59 AM

Re: 802.1x authentication on PROCURVE 2510G-24

Software Version Config File
Primary:
07/16/09 Y.11.12 Config
Secondary:
07/16/09 Y.11.12 Config
0 Kudos
cenk sasmaztin
Honored Contributor

тАО01-25-2011 06:18 AM

тАО01-25-2011 06:18 AM

Solution

Re: 802.1x authentication on PROCURVE 2510G-24

I think problem of switch software

same issue have y 11 16 software

please test

switch software downgrade y 11 01

and re test
cenk

cenk sasmaztin
Honored Contributor

тАО01-25-2011 06:28 AM

тАО01-25-2011 06:28 AM

Re: 802.1x authentication on PROCURVE 2510G-24



y 11 01 software

http://s3.dosya.tc/files/GZRVlV/2510G-Software-Y1101.zip.html
cenk

Stefano Cavazzini
Occasional Advisor

тАО01-25-2011 11:39 PM

тАО01-25-2011 11:39 PM

Re: 802.1x authentication on PROCURVE 2510G-24

i've installed y.11.16 software
now it works correctly.

GREAT. THANK YOU SO MUCH....

Stefano.
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.