Switches, Hubs, and Modems
cancel
Showing results for 
Search instead for 
Did you mean: 

802.1x with local authentication

GALAND
Occasional Visitor

802.1x with local authentication

Hello,

I'm trying to use 802.1x to authenticate users on my LAN on a Procurve 2650 Switch.
I am using a local switch authentication ( no external Radius Server)and my tests are made on port 10

There are the commands i have type to do that:
aaa authentication port-access local
aaa port-access authenticator 10
aaa port-access authenticator active

So, I've also create an operator/manager user named: "test"

I'm using XSupplicant on my computer to connect to the switch and the protocol i use is EAP-MD5.

I obtain the following message: Authentication Failed.

What can i do to authenticate on the switch?

Thanks in advance for your answer.
Kind Regards
15 REPLIES
cenk sasmaztin
Honored Contributor

Re: 802.1x with local authentication

hi Galand
impossible this methot 802.1x authentication
for 802.1x authentication necessary radius server microsoft ias or free radius or procurve idm etc.

cenk
cenk

Jarret Workman
Frequent Advisor

Re: 802.1x with local authentication

Hi Galand,

The aaa authentication command is used when configuring access to the actual switch. So, you could configure a local username and password scheme and use those when using console/telnet/web access to the management interface of the switch. You can also configure the authentication method to use a Radius server, which would verify logons to the management interface against Radius.

In order to authenicate users via port-based authentication, Cenk is correct that you would need to implement a Radius server.
Jarret Workman
Frequent Advisor

Re: 802.1x with local authentication

Hi Galand,

I did some more investigating, and it looks like you can use the local switch username/password scheme as a valid authentication scheme for clients. I will try and set this up on a test switch and see if I can get it working.

Regards,

Jarret
GALAND
Occasional Visitor

Re: 802.1x with local authentication

Hi Jarret,

Thanks for helping.
I've done severals test but without success ...

I hope you will get it working.

Regards.
cenk sasmaztin
Honored Contributor

Re: 802.1x with local authentication

hi
jarret and galand

this is imposible 802.1x authentication without radius server

my advice
your learning more information about 802.1x protocol

cenk
cenk

Mohieddin Kharnoub
Honored Contributor

Re: 802.1x with local authentication

Hi

In this document:
http://cdn.procurve.com/training/Manuals/3500-5400-6200-8200-ASG-Jan08-13-8021X.pdf

Its mentioned that the Local username/password can be used as an alternative method of using RADIUS server.

Page 13-14, explains how to do that, like you should configure the password using : password port-access (not the password command).

Good Luck !!!
Science for Everyone
GALAND
Occasional Visitor

Re: 802.1x with local authentication

Hi cenk,

I am using this doc:
ftp://ftp.hp.com/pub/networking/software/Security-Oct2005-59906024-Chap08-PortAccess(8021x).pdf

Can you have a look on Chapter "Configure the 802.1X Authentication Method"?

It is sayed that you can use a local authentication.
Is it just a "switch to switch" authentication method or can i use it to authenticate my computer?

Regards.
GALAND
Occasional Visitor

Re: 802.1x with local authentication

Hi Mohieddin,

Thanks for helping.
Also, I don't have the password port-access command on my Procurve 2650.
I'll try to update my software version to the latest
Perhaps, i need a upper layer switch like 3500-5400-6200-8200 models ...

Regards
cenk sasmaztin
Honored Contributor

Re: 802.1x with local authentication

you can want 802.1x authentication on network
you are need tree component

suplicant ------pc
authenticator------switch
authentication server----radius

without radius server out of action 802.1x protocol on network


cenk
cenk

Jarret Workman
Frequent Advisor

Re: 802.1x with local authentication

Hi Galand,

I updated a 2650 to H.10.50 software and tested. So far, I am running into authentication failures as well, but am still playing with it.

I also tested using a 5406, which has a slightly different syntax for entering the passwords for local radius. However, looking at the documentation for the 2600's and the 5400's, it does indicate the local switch passwords can be used in lieu of an external radius server.

I'll try and do some more testing today as I feel we are just missing one small piece...

Regards,

Jarret
Jarret Workman
Frequent Advisor

Re: 802.1x with local authentication

Hi Galand,

I did some more testing this morning. I set up a packet capture using Wireshark on my laptop and configured port 10 on my 2650 as the authenticator port. I also changed my NIC authentication for an EAP type of MD5-Challenge.

Watching the packet capture, I see the following:
1. EAPOL start
2. Identity request from the switch
3. Identity request from my laptop containing the password I entered for authentication
4. Request MD5-Challenge from the switch
5. Response MD5-Challenge from my laptop
6. EAP Success

On the switch, I checked the show port-access authenticator and my port 10 has changed from a status of closed, to a status of open once the EAP Success message was seen in the packet capture.

However, my NIC is still reporting it is "attempting to authenticate". Watching the packet capture for several minutes, the EAP process would run over and over with the same results as above each time.

It looks like using MD5-Challenge, I am getting successfully authenticated and the switch port opens as expected, but something seems to be broken since the NIC never moves into a connected state.

It might be worth opening up a ticket with ProCurve support. My thoughts are that either this is broken, or if it is not an option, then the documentation needs further clarification.

On a sidenote, I checked the documentation of the 5400 series ProCurve, and it also mentions this as an option. The only difference is that instead of using the operator username/password, you actually use a command of password port-access to configure a unique username/password scheme for local port-access.
Jarret Workman
Frequent Advisor

Re: 802.1x with local authentication

Hi Galand,

Another thought:

I am not sure of your ultimate goal using the port-access with local authentication from the switch, but have you looked at the port-security function as a possible option?

Using port-security, it looks like you can locally define up to eight MAC addresses per port that are authorized to connect. Perhaps this would provide the port-based security without the need for adding a Radius server.

Regards,

Jarret
cenk sasmaztin
Honored Contributor

Re: 802.1x with local authentication

you can want 802.1x authentication on network
you are need tree component

suplicant ------pc
authenticator------switch
authentication server----radius

without radius server out of action 802.1x protocol on network


cenk
cenk

GALAND
Occasional Visitor

Re: 802.1x with local authentication

Hi,

My switch is in a office where severals society are working on.

We've got the same network rack but we have got our own switch.
To ensure that other society will not use our network, i need to secure the network access.

I also cannot use Radius authentication because this society have no local server ( there are all managed by external society)
So, Mac address filtering isn't very easy to manage. I have 2 conference office which are needed the network for itinerant people.

I'll try to use Mac Filtering until i find a better solution.

Thanks all.
Kind Regards.
cenk sasmaztin
Honored Contributor

Re: 802.1x with local authentication

hi Galand
mac filter operation (namely port-seucrity )
no best way your network configuration because each user be lock one port not wroking other port (very statically )

My advice
you can seperate vlan each user group for securtiy

for example
vlan 1 :managemet vlan
vlan 2 :office user1
vlan 3 :office user2
vlan 4 :itinerant user


and you can install on your network radius server for all user with 802.1x authentication

802.1x authentication very successfull security protocol for lan and bring with radius remote active directory rules assign dynamicaly vlan for domain users


cenk
cenk