HPE Community
Switches, Hubs, and Modems
1752724 Members
5505 Online
108789 Solutions
New Discussion юеВ

Re: HP 2810 switches and 802.1x using Microsoft 2008 Network Policy Server

 
Giovanni Trapasso_1
Frequent Advisor

тАО08-06-2009 10:03 AM

тАО08-06-2009 10:03 AM

HP 2810 switches and 802.1x using Microsoft 2008 Network Policy Server

Hello,

I am about to implement Microsoft 2008 Newtork Policy Server, 802.1x, using HP 2810 and HP 2524 switches. My tests look good in a test area, and starting to setup the production network, but getting an error on the HP 2810 switches. On the Windows NPS server getting this error:

Event ID 18
An Access-Request message was received from RADIUS client with a message authenticator attribute that is not valid.

The HP 2524 switches works fine, but the HP 2810 switches are the issue. Any Thoughts?

0 Kudos
13 REPLIES 13
Jeff Carrell
Honored Contributor

тАО08-06-2009 11:20 PM

тАО08-06-2009 11:20 PM

Re: HP 2810 switches and 802.1x using Microsoft 2008 Network Policy Server

do you have this config parm:
'aaa authentication port-access eap-radius' in the 2810's?

if so, plz attach a 'sh ru' config of one of hte 2810's so we can see...

hth...jeff
0 Kudos
Jeff Carrell
Honored Contributor

тАО08-07-2009 04:13 AM

тАО08-07-2009 04:13 AM

Re: HP 2810 switches and 802.1x using Microsoft 2008 Network Policy Server

sorry, i meant to word that differently, attach a 2810 config so we can look at it to assist in troubleshooting, not simply see if you have that one command in its config...

sorry about that...jeff
0 Kudos
Giovanni Trapasso_1
Frequent Advisor

тАО08-07-2009 07:25 AM

тАО08-07-2009 07:25 AM

Re: HP 2810 switches and 802.1x using Microsoft 2008 Network Policy Server

thanks for the reply. Unfortunately this issue got escalated in my environment, so I am now in contact with HP procurve support. We are making headway, so I will keep you updated.

aaa authentication port-access eap-radius
radius-server host xxx.xxx.xxx.xxx key Key
aaa port-access authenticator 41
aaa port-access authenticator 41 auth-vid 2012
aaa port-access authenticator 41 unauth-vid 2013
aaa port-access authenticator active


The switch is setup correctly, and verified by HP support, but here are the few test config lines I have on my HP2810. Yes vlan's are set. And yes I blacked out the IP address.
0 Kudos
Ajohnson_1
Occasional Advisor

тАО08-25-2009 05:58 AM

тАО08-25-2009 05:58 AM

Re: HP 2810 switches and 802.1x using Microsoft 2008 Network Policy Server

Having the same problem here... no issues with any of the Cisco switches... no problems with 2600s, but 2810s are having issues. Please post if you come up with any answers.
0 Kudos
Giovanni Trapasso_1
Frequent Advisor

тАО08-25-2009 06:11 AM

тАО08-25-2009 06:11 AM

Re: HP 2810 switches and 802.1x using Microsoft 2008 Network Policy Server

I was dealing with HP support on this issue and the person I was dealing with setup a Windows 2008 NPS server and was able to get it to work. I am still not able to get the HP 2810 to work with port-access eap-radius. chap seems to work, but not eap.

Since all my 2810 switches are in production I am trying to find another switch I can test with, without causing any issues.

I will let you know what happens. But it is good to hear that someone else is having the issue. Weird that the same configuration works with the HP 2524 and the 2510 procurve switches.
0 Kudos
Ajohnson_1
Occasional Advisor

тАО08-25-2009 06:30 AM

тАО08-25-2009 06:30 AM

Re: HP 2810 switches and 802.1x using Microsoft 2008 Network Policy Server

Have them check software version. I had found a post somewhere on the internet earlier this month where someone had updated software to N.11.15, which is the version i have, and it broke 802.1x authentication. I can't seem to find it now or i'd post a link.
0 Kudos
Giovanni Trapasso_1
Frequent Advisor

тАО08-25-2009 08:04 AM

тАО08-25-2009 08:04 AM

Re: HP 2810 switches and 802.1x using Microsoft 2008 Network Policy Server

I downgraded my switch to 11.04 and still nothing.

I know the HP 2810 did work, but then again that was with a windows 2003 IAS setup instead of with 2008 NPS.
0 Kudos
Giovanni Trapasso_1
Frequent Advisor

тАО08-25-2009 01:00 PM

тАО08-25-2009 01:00 PM

Re: HP 2810 switches and 802.1x using Microsoft 2008 Network Policy Server

are you getting the:

"An Access-Request message was received from RADIUS client (IP address> with a message authenticator attribute that is not valid." message in the system event log on your NPS server?
0 Kudos
Ajohnson_1
Occasional Advisor

тАО08-26-2009 06:54 AM

тАО08-26-2009 06:54 AM

Re: HP 2810 switches and 802.1x using Microsoft 2008 Network Policy Server

I couldn't tell you. We've got school starting in a week and this still isn't working right, so i've had to pull back the NAP deployment. I'm pretty disappointed. Ran into 3 problems trying to deploy in the production environment.

1 the 2810 switch issue you're having
2 about 1-5% of the time the security center service doesn't start before the authentication takes place putting the computer into remediation for no real reason
3 less often than the security center issue is the network access protection agent doesn't start on time, gets sent to non-nap capable vlan.

We can't have any of those issues, let alone all of them, so we're done for now. Might try again during Christmas break or next summer.
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.