HPE Community
Switches, Hubs, and Modems
1752351 Members
5733 Online
108787 Solutions
New Discussion юеВ

Re: Problems in 802.1x, HP2650, (P)EAP and IAS Radius.

 
SOLVED
Go to solution
Ville M. Leinonen
New Member

тАО06-21-2006 10:18 PM

тАО06-21-2006 10:18 PM

Problems in 802.1x, HP2650, (P)EAP and IAS Radius.

Hi all,

I have setting up 802.1x and IAS enviroment. Now in some reason i cannot log my username/password/domain combitation in my network. My 2650 sw H.08.98 only says "radius: Can't reach RADIUS server 192.168.0.103". When i ping it its response. There is no log information in IAS logs. My configuration is something like this:

interface 1
no lacp
exit
ip default-gateway 10.0.0.1
vlan 1
name "DEFAULT_VLAN"
untagged 48-50
no ip address
no untagged 1-47
exit
vlan 2
name "Management"
ip address 10.0.0.13 255.255.255.0
tagged 48
exit
vlan 10
name "VLAN10"
untagged 1
tagged 48
exit
vlan 20
name "VLAN20"
tagged 48
exit
vlan 30
name "VLAN30"
tagged 48
exit
vlan 99
name "Denied"
untagged 2-47
exit
aaa authentication num-attempts 5
aaa authentication port-access eap-radius
aaa authentication ssh enable radius local
radius-server dead-time 5
radius-server host 192.168.0.103 key xxxxxxx
primary-vlan 2
management-vlan 2
aaa port-access authenticator 1
aaa port-access authenticator active

Any suggestion what is maybe wrong. When i try to port-access chap-radius, then log says something, but i want use PEAP.

Br,

Ville
0 Kudos
7 REPLIES 7
Sergej Gurenko
Trusted Contributor

тАО06-22-2006 06:32 PM

тАО06-22-2006 06:32 PM

Re: Problems in 802.1x, HP2650, (P)EAP and IAS Radius.

Check if the Radius ports are opened by IAS service on you Windows server. If RRAS service installed it can take over IAS.

Use sniffer on the radius server for troubleshooting. Good one is Packetyzer with (radius) filter.
0 Kudos
Jaguar
Occasional Advisor

тАО06-24-2006 10:25 PM

тАО06-24-2006 10:25 PM

Re: Problems in 802.1x, HP2650, (P)EAP and IAS Radius.

Hi,
Take a look at Event Viewer, System. This should provide some information on IAS log. If you are getting NAS-IP-Address: 127.0.0.1, then its the share secret key. Go to IAS, RADIUS Client, and provide the switch ip address as well as the share secret.
0 Kudos
Ville M. Leinonen
New Member

тАО06-25-2006 05:30 PM

тАО06-25-2006 05:30 PM

Re: Problems in 802.1x, HP2650, (P)EAP and IAS Radius.

Hi,

As i wrote "When i try to port-access chap-radius, then log says something". I have setup Enterasys devices to use IAS with PEAP and those works. I have also triple checked shared secret. I have also sniffed that traffic and it seems to be ok. It seems that IAS dont care PEAP authentication, when access request comes HP swithes. Any other suggestion?

Br,

Ville
0 Kudos
Sergej Gurenko
Trusted Contributor

тАО06-26-2006 02:56 AM

тАО06-26-2006 02:56 AM

Re: Problems in 802.1x, HP2650, (P)EAP and IAS Radius.

Triple check if the IAS is listens for you packets on the radius port!!! As I mentioned before sometimes port is locked by other service (e.g. RRAS).
You definitely must see an event in the event log (for example unsupported message type). You can also use "iasparse" tool from the resource kit.

Make sure IAS works at all. You can implement administrator authentication via Radius and check if it working.
0 Kudos
Bill Cripps
New Member

тАО08-03-2006 03:09 AM

тАО08-03-2006 03:09 AM

Re: Problems in 802.1x, HP2650, (P)EAP and IAS Radius.

Hi Ville,

Try downgrading the Firmware. We have seen the same problem on the 5304's. We downgraded the firmware and everything worked.

bc
Rion Odenbach
Regular Visitor

тАО08-03-2006 07:13 AM

тАО08-03-2006 07:13 AM

Solution

Re: Problems in 802.1x, HP2650, (P)EAP and IAS Radius.

Hi Ville,

Please downgrade to a version of code before H.08.95. The next version of code released on the web should have a fix included for PEAP, these will be release numbers greater than H.08.103. I suspect that using one of these code releases will fix your problem.
Ionut Andrei
Occasional Contributor

тАО08-18-2006 06:37 AM

тАО08-18-2006 06:37 AM

Re: Problems in 802.1x, HP2650, (P)EAP and IAS Radius.

I dont know if anyone here had this problem, but that "no untagged" line from the primary VLAN caused many of my ports from my switch not to work. Whenever i tried to directly assign a port as "untagged" to another VLAN, i lost access to switch from part of the ports. The only solution i found was to first declare the ports as "tagged", then "no tagged", then "untagged" in the new VLAN.
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.