HPE Community
Switches, Hubs, and Modems
1753528 Members
5101 Online
108795 Solutions
New Discussion

Re: HP2524, 802.1x and EAP-Radius

 
SOLVED
Go to solution
Giovanni Trapasso_1
Frequent Advisor

‎11-10-2006 07:37 AM

‎11-10-2006 07:37 AM

HP2524, 802.1x and EAP-Radius

Hello,

trying to get my HP 2524 procurve switches to use 802.1x to dynamically set the vlan on the interfaces. Things seem to be communicating but I am getting the following errors in my Windows 2003 server running IAS:

User Administrator@net.artstest.ualberta.ca was denied access.
Fully-Qualified-User-Name = net.artstest.ualberta.ca/Users/Administrator
NAS-IP-Address = 192.168.1.60
NAS-Identifier = HP ProCurve Switch 2524
Called-Station-Identifier = 00-0a-57-9b-c6-aa
Calling-Station-Identifier = 00-00-39-6d-35-ae
Client-Friendly-Name = test switch
Client-IP-Address = 192.168.1.60
NAS-Port-Type = Ethernet
NAS-Port = 10
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server =
Policy-Name = Connections to other access servers
Authentication-Type = EAP
EAP-Type =
Reason-Code = 66
Reason = The user attempted to use an authentication method that is not enabled on the matching remote access policy.

the switch is configured like this:

aaa authentication port-access eap-radius
radius-server host 192.168.1.50 key testkey
aa port-access authenticator active
0 Kudos
8 REPLIES 8
Mohieddin Kharnoub
Honored Contributor

‎11-10-2006 03:07 PM

‎11-10-2006 03:07 PM

Re: HP2524, 802.1x and EAP-Radius

Hi

You are missing one command that configure the Switch to be an Authenticator for specific ports :

aaa port-access authenticator < port-list > [ control < authorized | auto | unauthorized >]

This command configures the individual ports you want to operate as 802.1X authenticators for point-to-point links to 802.1X-aware clients or switches.

Say you have port 1 connected to this 802.1x client, the command you should add is like this:

2824(config)#aaa port-access authenticator 1 control auto

Good Luck !!!
Science for Everyone
0 Kudos
Giovanni Trapasso_1
Frequent Advisor

‎11-11-2006 09:08 AM

‎11-11-2006 09:08 AM

Re: HP2524, 802.1x and EAP-Radius

Thanks Mohieddin. Actually it is in the switch configuration, I just forgot to type it in the question.

After posting I messed around with the setup and I think I know the problem. I don't think the Procurve 2524 switches can do what I want it to do, hopefully someone can prove me wrong. I want to have the Microsoft 802.1x supplicant to auto authenticate to the radius using a Certificate being pushed to my clients, using eap-tls. Switch is setup with eap-radius, but for whatever reasong the remote access policy , Microsoft IAS, will not determine the eap-type.
0 Kudos
Matt Hobbs
Honored Contributor

‎11-11-2006 11:13 AM

‎11-11-2006 11:13 AM

Re: HP2524, 802.1x and EAP-Radius

Configuration on the switch looks to be right. On IAS you mainly need to make sure that 'smart card or other certificate' is selected under your EAP Methods.

Check the IAS logs for some other clues maybe?
0 Kudos
Mohieddin Kharnoub
Honored Contributor

‎11-11-2006 04:16 PM

‎11-11-2006 04:16 PM

Solution

Re: HP2524, 802.1x and EAP-Radius

Hi

I can prove you that your Setup from the ProCurve side will work for sure.

If you notice that, in the Warning entry you posted:
----------------------------------------
Authentication-Server =
Policy-Name = Connections to other access servers
Authentication-Type = EAP
EAP-Type =
----------------------------------------

EAP type is not determined and this is a normal output in the event viewer.

What i think (and 99% sure) that Windows 802.1x supplicant can't do that, and you need another supplicant to do that.

Good Luck !!!
Science for Everyone
Giovanni Trapasso_1
Frequent Advisor

‎11-12-2006 05:02 AM

‎11-12-2006 05:02 AM

Re: HP2524, 802.1x and EAP-Radius

Thanks for the input. That EAP-Type = was giving me some concern, where other postings on other sites had an entry under that EAP-Type.

I was doing some searching and I was going to use another supplicant, probably wpa_supplicant, of if I can get an eval of one of the commercial supplicants.

Will let you know
0 Kudos
Giovanni Trapasso_1
Frequent Advisor

‎11-13-2006 07:00 AM

‎11-13-2006 07:00 AM

Re: HP2524, 802.1x and EAP-Radius

Well didn't try supplicant just yet, I think I made some head way on this problem. I noticed in my previous post that the event log was not displaying my Policy name correctly, so I deleted the 2 default remote access policies in IAS and I got a different message, but things look better. Below in the new Event Log and error.

Will keep you updated on this issue.


User Administrator@net.artstest.ualberta.ca was denied access.
Fully-Qualified-User-Name = net.artstest.ualberta.ca/Users/Administrator
NAS-IP-Address = 192.168.1.60
NAS-Identifier = HP ProCurve Switch 2524
Called-Station-Identifier = 00-0a-57-9b-c6-ac
Calling-Station-Identifier = 00-00-39-6d-35-ae
Client-Friendly-Name = test switch
Client-IP-Address = 192.168.1.60
NAS-Port-Type = Ethernet
NAS-Port = 12
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server =
Policy-Name = wired_eap-tls
Authentication-Type = EAP
EAP-Type = Smart Card or other certificate
Reason-Code = 16
Reason = Authentication was not successful because an unknown user name or incorrect password was used.
0 Kudos
Giovanni Trapasso_1
Frequent Advisor

‎11-13-2006 09:20 AM

‎11-13-2006 09:20 AM

Re: HP2524, 802.1x and EAP-Radius

Managed to get this to work. When you go into the workstations Network interface properties, go into the Authentication tab, Properties of the "smart card or other certificate" EAP type, there is an option "validate Server Certificate". When disabled everything works, but when enabled I get the Reason Code = 16.

Will update when I figure this out.
0 Kudos
Giovanni Trapasso_1
Frequent Advisor

‎11-16-2006 09:39 AM

‎11-16-2006 09:39 AM

Re: HP2524, 802.1x and EAP-Radius

o.k. this should be the final post to this issue. Found a solution that I have been able to reproduce, with some pain, but still working on it.

To correct the error #16 and the Validate server Certificate issue you need to go through a document called:

Build Guide â Implementing the Wireless LAN Security Infrastructure.pdf

It will walk you through some certificates and how to create them. Url is:
http://www.microsoft.com/technet/security/prodtech/windowsserver2003/pkiwire/BGCH09.mspx?pf=true

Good Luck.
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.