Switches, Hubs, and Modems
Showing results for 
Search instead for 
Did you mean: 

Mac-based Radius Configuration.

Go to solution
Occasional Visitor

Mac-based Radius Configuration.

I seem to have the HP 2650 setup correctly but am still having issues getting it to authenticate through the MS IAS service. using MD5-CHAP, and have set the users password to store passwords using reversible encryption. And password never expires.

I have tried the setting that others in the forums have used, but is still not working for me.

This is my setup.

User 000bdb7bdcbe was denied access.
Fully-Qualified-User-Name = xxx.xxx.xx.xx/Users/000bdb7bdcbe
NAS-IP-Address =
NAS-Identifier = Radius Test Switch
Called-Station-Identifier = 00-30-6e-e3-71-ff
Calling-Station-Identifier = 00-0b-db-7b-dc-be
Client-Friendly-Name = Radius test
Client-IP-Address =
NAS-Port-Type = Ethernet
NAS-Port = 1
Proxy-Policy-Name = Radius Domain Test
Authentication-Provider = Windows
Authentication-Server =
Policy-Name = Radius Test 1
Authentication-Type = MD5-CHAP
EAP-Type =
Reason-Code = 66
Reason = The user attempted to use an authentication method that is not enabled on the matching remote access policy.

In IAS, setup radius Client, which is the HP 2650, with ip address and secret name, triple checked secret name.

Remote access policies:
Windows Group Matches, Domain\Radius Access Group
Allow Access on through: Ethernet
Authentication: EAP Methods: MD5-Challenge
Encryption all checked.

Went through the 2600-*.pdf to set up switch for mac-based authentication.

What is the Vendor ID for the 2650?

Service type: Framed
Tunnel-Medium-Type: 802
Tunnel-PVT-Group-ID: 903 (VLAN ID)
Tunnel-Type: Virtual LANS
Framed-Protocol: PPP

Granted Remote Access Permission

Any help would be greatly appreciated

Nameesh NR

Re: Mac-based Radius Configuration.


Some of the thing that you can check for -

(1) The username/password for a MAC auth user should be the MAC address itself

(2) In the "Remote Access Profile", check for the -
Settings Tab
- Add Policy condition for NAS Port Type
matching "Ethernet"

Dial-in Constraints Tab
- Select "Allow access only through these media (NAS-Port-Type)
- Select "Ethernet"

Authentication Tab
- CHAP option should be selected
- If you have some other authentication
enabled on the switch then, select them
as well in this tab

Advanced Tab
- Framed-Protocol (Radius Standard) PPP
- Service Type (Radius Standard) Framed

(3) In "Connection Request Policies" under
IAS->Connection Request Processing -

- Use Windows authentication for all users
- Add Policy condition as "Ethernet"

I have similar setup at my end and im able to see the users authentication via MAC-Auth.

Please let me know if the things mentioned did help.

Nothing is too small to know, and nothing is too big to attempt.
Occasional Visitor

Re: Mac-based Radius Configuration.


1. the username and password are the same.

2. Done, only want to use the MD5 Challenge

3. Unable to find use windows authentication in that section.

Occasional Visitor

Re: Mac-based Radius Configuration.


It is working now.

Nameesh NR

Re: Mac-based Radius Configuration.

Hi Dhillsr,

Thats great !!
Did you do anything different to make it
work or did the steps that I sent help you ?

Don't forget to give the points :)
Nothing is too small to know, and nothing is too big to attempt.
Occasional Visitor

Re: Mac-based Radius Configuration.

I used the steps you gave me, along with what I had already done.

Works great.

Occasional Visitor

Re: Mac-based Radius Configuration.

Thanks for all of your help.