Switches, Hubs, and Modems
cancel
Showing results for 
Search instead for 
Did you mean: 

MAC based authentification - 2910al - Logon Process

Björn Andreas Höfer
Occasional Advisor

MAC based authentification - 2910al - Logon Process

Hi,

 

I've set up a test-enviroment with a ProCurve 2910al and a Windows Server 2008 R2.

 

Configuration for the 2910al

radius-server host 1.2.3.4 key "supergeheim"

aaa authentication port-access eap-radius

aaa port-access authenticator 2-12

aaa port-access authenticator 2-12 logoff-period 862400

aaa port-access authenticator 2-12 quiet-period 30

aaa port-access authenticator 2-12 client-limit 1

aaa port-access authenticator active

aaa port-access mac-based 2-21

aaa port-access mac-based 2-21 logoff-period 862400

aaa port-access mac-based 2-21 quiet-period 30

aaa accounting network start-stop radius

 

On Windows 2008 R2 the setup seems to work, as it should.

 

But when I connect a "dumb" device - like a old printer i'll get the following messages on the Windows IAS (aka NAP):

 

<Event><Timestamp data_type="4">04/16/2012 17:24:53.015</Timestamp><Computer-Name data_type="1">SV1234</Computer-Name><Event-Source data_type="1">IAS</Event-Source><Class data_type="1">311 1 192.168.10.1 03/26/2012 08:45:23 651</Class><Authentication-Type data_type="0">2</Authentication-Type><Fully-Qualifed-User-Name data_type="1">DOMAINNAME\0004f239dddd</Fully-Qualifed-User-Name><SAM-Account-Name data_type="1">DOMAINNAME\0004f239dddd</SAM-Account-Name><Provider-Type data_type="0">1</Provider-Type><Proxy-Policy-Name data_type="1">NAP 802.1X (verkabelt)</Proxy-Policy-Name><Client-Friendly-Name data_type="1">Testswitch02</Client-Friendly-Name><Client-Vendor data_type="0">0</Client-Vendor><Client-IP-Address data_type="3">192.168.10.67</Client-IP-Address><Packet-Type data_type="0">3</Packet-Type><Reason-Code data_type="0">16</Reason-Code></Event

 

<Event><Timestamp data_type="4">04/16/2012 17:25:57.015</Timestamp><Computer-Name data_type="1">SV123</Computer-Name><Event-Source data_type="1">IAS</Event-Source><Framed-MTU data_type="0">1466</Framed-MTU><NAS-IP-Address data_type="3">192.168.10.67</NAS-IP-Address><NAS-Identifier data_type="1">testswitch</NAS-Identifier><User-Name data_type="1">0004f239dddd</User-Name><Service-Type data_type="0">2</Service-Type><Framed-Protocol data_type="0">1</Framed-Protocol><NAS-Port data_type="0">9</NAS-Port><NAS-Port-Type data_type="0">15</NAS-Port-Type><NAS-Port-Id data_type="1">9</NAS-Port-Id><Called-Station-Id data_type="1">78-e3-b5-1f-e1-d1</Called-Station-Id><Calling-Station-Id data_type="1">00-04-f2-39-d1-e1</Calling-Station-Id><Connect-Info data_type="1">CONNECT Ethernet 100Mbps Full duplex</Connect-Info><Vendor-Specific data_type="2">0000000BFF09011A0000000B28</Vendor-Specific><Vendor-Specific data_type="2">0000000BFF09011A0000000B2E</Vendor-Specific><Vendor-Specific data_type="2">0000000BFF09011A0000000B30</Vendor-Specific><Vendor-Specific data_type="2">0000000BFF09011A0000000B3D</Vendor-Specific><Vendor-Specific data_type="2">0000000BFF040138</Vendor-Specific><Vendor-Specific data_type="2">0000000BFF04013A</Vendor-Specific><Vendor-Specific data_type="2">0000000BFF040140</Vendor-Specific><Vendor-Specific data_type="2">0000000BFF040141</Vendor-Specific><Vendor-Specific data_type="2">0000000BFF040151</Vendor-Specific><Client-IP-Address data_type="3">192.168.10.67</Client-IP-Address><Client-Vendor data_type="0">0</Client-Vendor><Client-Friendly-Name data_type="1">Testswitch02</Client-Friendly-Name><MS-RAS-Vendor data_type="0">11</MS-RAS-Vendor><Proxy-Policy-Name data_type="1">NAP 802.1X (verkabelt)</Proxy-Policy-Name><Provider-Type data_type="0">1</Provider-Type><SAM-Account-Name data_type="1">DOMAINNAME\0004f239dddd</SAM-Account-Name><Fully-Qualifed-User-Name data_type="1">DOMAINNAME\0004f239dddd</Fully-Qualifed-User-Name><Class data_type="1">311 1 10.0.10.1 03/26/2012 08:45:23 652</Class><Authentication-Type data_type="0">2

 

 

The second attemp to connect to NAP (IAS) fails - as he tries to authenticate against my Active Directory with the MAC-Address as Username (and password so far I know).

 

Is there a possibility to prevent this second login-attemp?

Because I don't want to lower our domain-security by adding a lot of users (and very weak passwords)...

 

Putting all "dumb" clients in a fallback VLAN is not my intension - because I want to seperate some dumb clients from others (moving sip-phones in one vlan and printers in another - for example).

 

Can somebody help me? 

 

Thanks in advance.