Switches, Hubs, and Modems
cancel
Showing results for 
Search instead for 
Did you mean: 

802.1x authentication on PROCURVE 2510G-24

SOLVED
Go to solution
Stefano Cavazzini
Occasional Advisor

802.1x authentication on PROCURVE 2510G-24

Hello everybody, i'm trying some solutions for hardening my ethernet LAN.
I've installed FREERADIUS 2.1.10 on FEDORA 11 and a client win xp sp3 (with eapp authentication enabled) linked to the server through HP PROCURVE 2510G-24 SWITCH - all configured.
The authentication is made by LDAP located on other SAMBA SERVER.

When i connect to the lan (user, password and domain) the switch contact radius server but in the "rad_recv" information i see that the switch pass a "cutted" USER-NAME.

For example i log-in in windows with user="stefano" + password="test" + domain="mydomain" and i see in rad_recv that "user-name" is developed with "mydomain\st" (stefano is truncated).

I made some test and i saw that EVERY TIME "user-name" sent to RADIUS SERVER is truncated (domain\user) on 16th character
(in other words "user-name" in structure "rad_recv" is always 16 chr.), i've tried also with othen domain available in my company but the problem remain the same.

Could it be a problem of wrong switch configuration?? Or is a problem of the client (win XP SP3 - ACTIVATED IEEE 802.1X with PROTECTED EAP)?
I hope someone could help me.

Thanks in advance...Stefano.
11 REPLIES
cenk sasmaztin
Honored Contributor

Re: 802.1x authentication on PROCURVE 2510G-24

please send me your switch config

sh run print
cenk

Stefano Cavazzini
Occasional Advisor

Re: 802.1x authentication on PROCURVE 2510G-24

ProCurve Switch 2510G-24# sh run

Running configuration:

; J9279A Configuration Editor; Created on release #Y.11.12

hostname "ProCurve Switch 2510G-24"
mirror-port 1
snmp-server community "public" Unrestricted
vlan 1
name "DEFAULT_VLAN"
untagged 1-24
ip address dhcp-bootp
exit
aaa authentication port-access eap-radius
radius-server host 10.35.33.228 key test
aaa port-access authenticator 1
aaa port-access authenticator active

#####################################
i've configured port no. 1 of switch for working as port-access authentication (802.1x).




cenk sasmaztin
Honored Contributor

Re: 802.1x authentication on PROCURVE 2510G-24

your config is false

fristly switch vlan 1 ip address must have statically your switch vlan 1 ip assign dhcp server

and can't see

aaa accounting network start-stop radius

command on switch

example config

aaa authentication port-access eap-radius
aaa accounting network start-stop radius
radius-server host 100.100.100.80 key procurve
aaa port-access authenticator A1-A24

cenk

Stefano Cavazzini
Occasional Advisor

Re: 802.1x authentication on PROCURVE 2510G-24

I made the change as you suggested.

####################################

Running configuration:

; J9279A Configuration Editor; Created on release #Y.11.12

hostname "ProCurve Switch 2510G-24"
mirror-port 1
snmp-server community "public" Unrestricted
vlan 1
name "DEFAULT_VLAN"
untagged 1-24
ip address 10.35.33.164 255.255.255.0
exit
aaa authentication port-access eap-radius
aaa accounting network start-stop radius
radius-server host 10.35.33.228 key test
aaa port-access authenticator 1
aaa port-access authenticator active

####################################

This is the frame received by RADIUS from the SWITCH:

####################################

rad_recv: Access-Request packet from host 10.35.33.164 port 1024, id=42, length=245
Framed-MTU = 1480
NAS-IP-Address = 10.35.33.164
NAS-Identifier = "ProCurve Switch 2510G-24"
User-Name = "CASTELGOFFREDO\\C"
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 1
NAS-Port-Type = Ethernet
NAS-Port-Id = "1"
Called-Station-Id = "00-26-f1-bc-78-c0"
Calling-Station-Id = "00-0f-fe-80-4e-94"
Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex"
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "1"
EAP-Message = 0x0208001e0143415354454c474f46465245444f5c434156415a5a30383036
Message-Authenticator = 0x957819fc68420fdba0a678a985a31daa

#########################################

as you can see all seems ok, but the

User-Name = "CASTELGOFFREDO\\C" is truncated, it had to be "CASTELGOFFREDO\\CAVAZZ0806"

Thanks a lot. Stefano.

cenk sasmaztin
Honored Contributor

Re: 802.1x authentication on PROCURVE 2510G-24

which software version have to switch
cenk

Stefano Cavazzini
Occasional Advisor

Re: 802.1x authentication on PROCURVE 2510G-24

Software Version Config File
Primary:
07/16/09 Y.11.12 Config
Secondary:
07/16/09 Y.11.12 Config
cenk sasmaztin
Honored Contributor
Solution

Re: 802.1x authentication on PROCURVE 2510G-24

I think problem of switch software

same issue have y 11 16 software

please test

switch software downgrade y 11 01

and re test
cenk

cenk sasmaztin
Honored Contributor

Re: 802.1x authentication on PROCURVE 2510G-24

Stefano Cavazzini
Occasional Advisor

Re: 802.1x authentication on PROCURVE 2510G-24

i've installed y.11.16 software
now it works correctly.

GREAT. THANK YOU SO MUCH....

Stefano.
cenk sasmaztin
Honored Contributor

Re: 802.1x authentication on PROCURVE 2510G-24

hi Stefano

can you find any solition
cenk

Stefano Cavazzini
Occasional Advisor

Re: 802.1x authentication on PROCURVE 2510G-24

i've installed y.11.16.SWI software image
and it WORKS CORRECTLY.

switch configuration is:

ProCurve Switch 2510G-24# SH RUN

Running configuration:

; J9279A Configuration Editor; Created on release #Y.11.16

hostname "ProCurve Switch 2510G-24"
mirror-port 1
snmp-server community "public" Unrestricted
vlan 1
name "DEFAULT_VLAN"
untagged 1-24
ip address 10.35.33.164 255.255.255.0
exit
aaa authentication port-access eap-radius
aaa accounting network start-stop radius
radius-server host 10.35.33.228 key test
aaa port-access authenticator 1
aaa port-access authenticator active

i've configured RADIUS SERVER and it's WORK CORRECTLY, now ALL works CORRECTLY.

WELL DONE, THANK YOU SO MUCH..
Stefano