Switches, Hubs, and Modems
cancel
Showing results for 
Search instead for 
Did you mean: 

802.1x doesn't work after formware upgrade 10.43 to 10.67

SOLVED
Go to solution
Mario Laniel
Advisor

802.1x doesn't work after formware upgrade 10.43 to 10.67

Hi all,

On HP 2824 switches after upgrading the firmware 802.1x port-access stopped working, I have over 50 switches so it's a mess. Does anyone know anything about that issue?

Thanks,
26 REPLIES
cenk sasmaztin
Honored Contributor

Re: 802.1x doesn't work after formware upgrade 10.43 to 10.67

hi Mario please send me sh tech print
cenk

Mario Laniel
Advisor

Re: 802.1x doesn't work after formware upgrade 10.43 to 10.67

Here you go

Thanks,
Carsten M
Regular Advisor

Re: 802.1x doesn't work after formware upgrade 10.43 to 10.67

Hi Mario!

Is it a FW- Problem or a Client- Problem on Windows- Machines. We have a same problem on same winxp machines. After an windowsupdate i miss under LAN connections -> properties the 3. panel for 802.1x. Therefore, I think it's a problem from windows.

cm60
cenk sasmaztin
Honored Contributor

Re: 802.1x doesn't work after formware upgrade 10.43 to 10.67

hi Mario
I casn see one port authenticator on switch
is this true

if this is true

copy and paste my config on switch and retest

hostname
snmp-server contact
snmp-server location
web-management management-url ""
time timezone -300
time daylight-time-rule Continental-US-and-Canada
interface 1
no lacp
exit
interface 21
no lacp
exit
interface 23
no lacp
exit
interface 24
no lacp
exit
trunk 23 Trk1 Trunk
trunk 24 Trk2 Trunk
trunk 21 Trk24 Trunk
ip default-gateway 132.246.17.1
sntp server 132.246.20.2
timesync sntp
sntp unicast
snmp-server community "public" Unrestricted
snmp-server community "private" Unrestricted
snmp-server host 132.246.17.24 "private"
vlan 1
name "DEFAULT_VLAN"
untagged 1-20,22,Trk1-Trk2,Trk24
ip address 132.246.17.112 255.255.255.0
exit
stack join 001560faf7a0
aaa authentication port-access eap-radius
aaa accounting network start-stop radius
radius-server host 132.246.17.24 key Paris1
aaa port-access authenticator 1
aaa port-access authenticator active
aaa port-access 1
spanning-tree Trk1 priority 4
spanning-tree Trk2 priority 4
spanning-tree Trk24 priority 4


cenk

Mario Laniel
Advisor

Re: 802.1x doesn't work after formware upgrade 10.43 to 10.67

Carsten,

the problem is with the firmware, I have a testing switch with firmware I.10.43 and it works just fine but when I put I.10.67 it doesn't work anymore and if I revert back to the I.10.43 everything works just fine.
Mario Laniel
Advisor

Re: 802.1x doesn't work after formware upgrade 10.43 to 10.67

Cenk,

I just tried your config and it still the same thing, you just added one line "aaa accounting network start-stop radius" right?

Thanks for the help, I'll keep on digging.
Mario Laniel
Advisor

Re: 802.1x doesn't work after formware upgrade 10.43 to 10.67

Cenk,

As you can see authentication does not happen:

TestingSW1(config)# sho port-access authenticator

Port Access Authenticator Status

Port-access authenticator activated [No] : Yes
Allow RADIUS-assigned dynamic (GVRP) VLANs [No] : No

Current Current
Port Status VLAN ID Port COS
---- ------ -------- -----------
1 Closed 1 No-override

From the PC the network icon tells me "validating identity" and after about 30 seconds or so it says "Authentication failed".
cenk sasmaztin
Honored Contributor

Re: 802.1x doesn't work after formware upgrade 10.43 to 10.67

can you see any log on switch ?
like can't reach radius server

can you ping to radius server on switch?


can you make recently update xp service pack 3
cenk

Mario Laniel
Advisor

Re: 802.1x doesn't work after formware upgrade 10.43 to 10.67

Hi Cenk,

nothing in the log and I can ping the radius server no problem;

TestingSW1# sho logging
Keys: W=Warning I=Information
M=Major D=Debug
---- Event Log listing: Events Since Boot ----
M 01/01/90 00:00:06 sys: 'System reboot due to Power Failure'
I 01/01/90 00:00:06 system: --------------------------------------------------
I 01/01/90 00:00:06 system: System went down without saving crash information
I 01/01/90 00:00:29 udpf: DHCP relay agent feature enabled
I 01/01/90 00:00:29 stack: Stack Protocol enabled
I 01/01/90 00:00:29 tftp: Enable succeeded
I 01/01/90 00:00:29 system: System Booted.
I 01/01/90 00:00:29 cdp: CDP enabled
I 01/01/90 00:00:29 lldp: LLDP - enabled
I 01/01/90 00:00:30 ssl: SSL HTTP server enabled on TCP port 443
I 01/01/90 00:00:31 ports: trunk Trk1 is now active
I 01/01/90 00:00:31 ports: port 23 in Trk1 is now on-line
I 01/01/90 00:00:31 ports: port 24 in Trk1 is now on-line
I 01/01/90 00:00:31 ip: network enabled on 10.1.1.10
I 01/01/90 00:05:09 mgr: SME TELNET from 132.246.17.8 - MANAGER Mode
I 01/01/90 00:05:16 tftp: RRQ from 132.246.17.24 for file running-config
I 01/01/90 00:05:16 tftp: Transfer completed
I 01/01/90 00:05:30 mgr: SME TELNET from 132.246.17.24 - MANAGER Mode
I 01/01/90 00:05:36 mgr: SME TELNET from 132.246.17.24 - MANAGER Mode
I 01/01/90 00:05:43 mgr: SME TELNET from 132.246.17.24 - MANAGER Mode
---- Bottom of Log : Events Listed = 20 ----
TestingSW1# ping 132.246.17.24
132.246.17.24 is alive, time = 1 ms

Has for the update on the station, yes they are running XP SP3 and I've fixed my LAN card profile. The same machine hooked up to that switch with firmware I.10.43 works just fine but when I install I.10.67 it stops working.
cenk sasmaztin
Honored Contributor

Re: 802.1x doesn't work after formware upgrade 10.43 to 10.67

I make recently demo configuration for costumer whit H_10_67 software 2626 switch
802.1x&dynamic vlan
please download and watch my demo video

http://www.dosya.tc/802.1x_dynamicvlan.rar.html

no any bug 10_67 software for 802.1x

please look windows event viewer log for IAS service






cenk

cenk sasmaztin
Honored Contributor

Re: 802.1x doesn't work after formware upgrade 10.43 to 10.67

and send me all log print on radius server
cenk

Mario Laniel
Advisor

Re: 802.1x doesn't work after formware upgrade 10.43 to 10.67

Thanks Cenk,

I looked in the event log on the radius (IAS)server and there is nothing, the PC can not get to it because for some reason but if I go with with firware I.10.43 then it authenticate right away.

Thanks for trying Cenk,
Matt Hobbs
Honored Contributor

Re: 802.1x doesn't work after formware upgrade 10.43 to 10.67

It's probably broken, are you using PEAP? If so there is an option in IAS to make it send smaller Framed-MTU which should will workaround the issue, but you should open up a case with HP.
André Beck
Honored Contributor

Re: 802.1x doesn't work after formware upgrade 10.43 to 10.67

Mario,

have you tried the same setup just without "stacking"? Sourcing RADIUS requests is likely to be complicated by this management hack to hide multiple boxes behind a single IP, so the bug (clearly there is a bug somewhere) might hide in this area (which doesn't get that much testing in the field as get individual management-IP configurations, I assume).

HTH,
Andre.
Mario Laniel
Advisor

Re: 802.1x doesn't work after formware upgrade 10.43 to 10.67

André,

I've tried without stacking and it is the same way but with firmware I.10.43 it works without stacking and with stacking.
Mario Laniel
Advisor

Re: 802.1x doesn't work after formware upgrade 10.43 to 10.67

Matt,

I'm using smart cards or other certificate, so I'm using cert which I've generated with microsoft certificates services and it works fine until I put firware I.10.67 on the switches.
Matt Hobbs
Honored Contributor
Solution

Re: 802.1x doesn't work after formware upgrade 10.43 to 10.67

Could be the same, any form of EAP will probably be affected if it's the bug I'm thinking of.
Mario Laniel
Advisor

Re: 802.1x doesn't work after formware upgrade 10.43 to 10.67

Hi Matt,

I'm willing to give it a try, I've looked around in IAS and didn't see anything pertaning to your option.

How would one go about turning that option on?

Thanks,
Mario
Mario Laniel
Advisor

Re: 802.1x doesn't work after formware upgrade 10.43 to 10.67

Matt,

You were right, I found where to change the MTU size and I set it to 1400 and everything works just fine now with firmware I.10.67.

Thank you very much,

P.S. I still have a case open with HP as I believe that it should work without having to modify that option.

Mario,
Matt Hobbs
Honored Contributor

Re: 802.1x doesn't work after formware upgrade 10.43 to 10.67

Glad to hear it helped. I've seen this particular bug on many other different ProCurve models and it's definitely a bug (you should be able to see it mentioned in the release notes for the 2600).
Mario Laniel
Advisor

Re: 802.1x doesn't work after formware upgrade 10.43 to 10.67

Hi Matt,

Is this what you mean:

802.1X Port Lock-Up (PR_0000005372) â If the first frame is sent from an all-zeros MAC
address to a broadcast destination address, an 802.1X port will freeze, and AAA will quit
functioning.
Matt Hobbs
Honored Contributor

Re: 802.1x doesn't work after formware upgrade 10.43 to 10.67

It was more similar to this one:

RADIUS (0000001164) â The switch drops RADIUS messages with EAP-packets larger
than 1496 bytes.

That was from the 5400 release notes.

Mario Laniel
Advisor

Re: 802.1x doesn't work after formware upgrade 10.43 to 10.67

Thanks Matt,

That looks more like it and it is not in the 2800 release notes, I will let HP know as I opened up a case with them to resolve the issue in the software. It works fine with the workaround you gave me but it should work without that.

Re: 802.1x doesn't work after formware upgrade 10.43 to 10.67

You only really see the Port Lockup with broken NICs (or where the address has been set administratively). Though windows Vista machines occasionally send a couple of packets with a src mac of all 0's as it's bringing the interface up. This can cause temporary port lockups (they will clear when you up/down the interface).

Bug fixes are generally written for one branch then applied to others as customer-demand/severity dictates.

If you contact HP technical support they may be able to give you a pre-release of I with the fix applied.
---

Regarding the earlier post on dynamic Vlans and 802.1X, it's great in theory but if you're working in a multicast environment the lack of IGMP snooping on dynamic VLANs in a real killer.

Additionally you should always set unknown-vlan disable on all edge ports. Else it's possible that a GVRP enabled, authenticated client, could pull down any tagged VLAN they wanted as well as the untagged VLAN they were assigned.
---

As for no bugs existing with 802.1X with H.10.67... that's not strictly true... currently got 6 cases open regarding port-access / GVRP stuff for H branch. But non that would cause the behaviour you're describing.