Switches, Hubs, and Modems
cancel
Showing results for 
Search instead for 
Did you mean: 

HP 2810 switches and 802.1x using Microsoft 2008 Network Policy Server

Giovanni Trapasso_1
Frequent Advisor

HP 2810 switches and 802.1x using Microsoft 2008 Network Policy Server

Hello,

I am about to implement Microsoft 2008 Newtork Policy Server, 802.1x, using HP 2810 and HP 2524 switches. My tests look good in a test area, and starting to setup the production network, but getting an error on the HP 2810 switches. On the Windows NPS server getting this error:

Event ID 18
An Access-Request message was received from RADIUS client with a message authenticator attribute that is not valid.

The HP 2524 switches works fine, but the HP 2810 switches are the issue. Any Thoughts?

13 REPLIES
Jeff Carrell
Honored Contributor

Re: HP 2810 switches and 802.1x using Microsoft 2008 Network Policy Server

do you have this config parm:
'aaa authentication port-access eap-radius' in the 2810's?

if so, plz attach a 'sh ru' config of one of hte 2810's so we can see...

hth...jeff
Jeff Carrell
Honored Contributor

Re: HP 2810 switches and 802.1x using Microsoft 2008 Network Policy Server

sorry, i meant to word that differently, attach a 2810 config so we can look at it to assist in troubleshooting, not simply see if you have that one command in its config...

sorry about that...jeff
Giovanni Trapasso_1
Frequent Advisor

Re: HP 2810 switches and 802.1x using Microsoft 2008 Network Policy Server

thanks for the reply. Unfortunately this issue got escalated in my environment, so I am now in contact with HP procurve support. We are making headway, so I will keep you updated.

aaa authentication port-access eap-radius
radius-server host xxx.xxx.xxx.xxx key Key
aaa port-access authenticator 41
aaa port-access authenticator 41 auth-vid 2012
aaa port-access authenticator 41 unauth-vid 2013
aaa port-access authenticator active


The switch is setup correctly, and verified by HP support, but here are the few test config lines I have on my HP2810. Yes vlan's are set. And yes I blacked out the IP address.
Ajohnson_1
Occasional Advisor

Re: HP 2810 switches and 802.1x using Microsoft 2008 Network Policy Server

Having the same problem here... no issues with any of the Cisco switches... no problems with 2600s, but 2810s are having issues. Please post if you come up with any answers.
Giovanni Trapasso_1
Frequent Advisor

Re: HP 2810 switches and 802.1x using Microsoft 2008 Network Policy Server

I was dealing with HP support on this issue and the person I was dealing with setup a Windows 2008 NPS server and was able to get it to work. I am still not able to get the HP 2810 to work with port-access eap-radius. chap seems to work, but not eap.

Since all my 2810 switches are in production I am trying to find another switch I can test with, without causing any issues.

I will let you know what happens. But it is good to hear that someone else is having the issue. Weird that the same configuration works with the HP 2524 and the 2510 procurve switches.
Ajohnson_1
Occasional Advisor

Re: HP 2810 switches and 802.1x using Microsoft 2008 Network Policy Server

Have them check software version. I had found a post somewhere on the internet earlier this month where someone had updated software to N.11.15, which is the version i have, and it broke 802.1x authentication. I can't seem to find it now or i'd post a link.
Giovanni Trapasso_1
Frequent Advisor

Re: HP 2810 switches and 802.1x using Microsoft 2008 Network Policy Server

I downgraded my switch to 11.04 and still nothing.

I know the HP 2810 did work, but then again that was with a windows 2003 IAS setup instead of with 2008 NPS.
Giovanni Trapasso_1
Frequent Advisor

Re: HP 2810 switches and 802.1x using Microsoft 2008 Network Policy Server

are you getting the:

"An Access-Request message was received from RADIUS client (IP address> with a message authenticator attribute that is not valid." message in the system event log on your NPS server?
Ajohnson_1
Occasional Advisor

Re: HP 2810 switches and 802.1x using Microsoft 2008 Network Policy Server

I couldn't tell you. We've got school starting in a week and this still isn't working right, so i've had to pull back the NAP deployment. I'm pretty disappointed. Ran into 3 problems trying to deploy in the production environment.

1 the 2810 switch issue you're having
2 about 1-5% of the time the security center service doesn't start before the authentication takes place putting the computer into remediation for no real reason
3 less often than the security center issue is the network access protection agent doesn't start on time, gets sent to non-nap capable vlan.

We can't have any of those issues, let alone all of them, so we're done for now. Might try again during Christmas break or next summer.
Giovanni Trapasso_1
Frequent Advisor

Re: HP 2810 switches and 802.1x using Microsoft 2008 Network Policy Server

I am in the same situation as well, being at the University of Alberta. We will deploy in stages when we get this issue solved, and test everything again.

One thing I would suggest, if you have a chance is to call HP support and register this issue.

When I do a show tech all on the HP 2810 in the logs there is an error where it cannot connect to my Radius server /NPS server. All my other series of switches are not having that issue, the commands are the same on the HP 2524 and the HP 2510 as with the HP 2810, but the HP 2810 does not work.
Ajohnson_1
Occasional Advisor

Re: HP 2810 switches and 802.1x using Microsoft 2008 Network Policy Server

Will do, but at this point i have to move on. Staff members are starting to show up now and I'm here 12+ hours a day taking service calls as it is. I just don't have time to straighten this out.

I was getting the same error on both the NPS server and the switch.

I'm really hoping that by the time I'm ready to try again in December that there's a solution out there :)
Giovanni Trapasso_1
Frequent Advisor

Re: HP 2810 switches and 802.1x using Microsoft 2008 Network Policy Server

Finally got to testing this issue again, it looks like a firmware issue. Have been able to reproduce the issue on a test switch on my production server. Works with firmware N_11_09 but does not work with N_11_15. I am going to downgrade one of my production switches to N_11_09 and see if things are will work. will post after I test the production switch.
Ajohnson_1
Occasional Advisor

Re: HP 2810 switches and 802.1x using Microsoft 2008 Network Policy Server

New firmware was released in the last couple weeks. The fix seems to be listed in the release notes. I'll be upgrading my switches soon, but won't be able to test against NPS for a couple of months.

Linky: http://www.procurve.com/customercare/support/software/summarypages/n-j9021-c.htm