- Community Home
- >
- Networking
- >
- Legacy
- >
- Switches, Hubs, Modems
- >
- Procurve 2600 and Radius MAC VLAN affectation
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-17-2007 02:36 AM
тАО09-17-2007 02:36 AM
Procurve 2600 and Radius MAC VLAN affectation
We use Procurve 2600 series and would like to do VLAN affectation by Radius-MAC.
We have one difficulty: for a machine of address known MAC, the switch does not
place the port in the VLAN designated by the Radius server.
Does anybody on this forum succeeded to make a 2600 use
VLAN attributed by Radius-MAC authentication?
More details of our model and our problem:
- switch HP Procurve 2626 (IP 145.238.3.182)
- configuration in the appendix
- server FreeRadius 1.0.2 (IP 145.238.2.29)
- configurations in the annex
- radiusd.conf
- clients.conf
- users
- one computer A of MAC address: 00:01:03:04:1D:7F
- our source of information:
- Access Security Guide
ftp://ftp.hp.com/pub/networking/software/2600-2800-4100-6108-Security-Oct2005-59906024.pdf
- The switch is configured to do Radius-MAC auth on
port 17. The Radius is configured to put computer A in VLAN 4
(different from default VLAN 1).
By default, all ports belongs to VLAN 1. VLAN 4 and 301 are
declared, without any ports inside.
When connecting the computer A, radius' log shows that the client is
successfully authenticated and that we want him in VLAN 4.
rad_recv: Access-Request packet from host 145.238.3.182:1024, id=45, length=187
Framed-MTU = 1480
NAS-IP-Address = 145.238.3.182
NAS-Identifier = "sw-test-radius-1"
User-Name = "00123f0e996f"
Service-Type = Administrative-User
Framed-Protocol = PPP
NAS-Port = 17
NAS-Port-Type = Ethernet
NAS-Port-Id = "17"
Called-Station-Id = "00-14-38-fe-12-2f"
Calling-Station-Id = "00-12-3f-0e-99-6f"
Connect-Info = "CONNECT Ethernet 100Mbps Full duplex"
CHAP-Password = 0x2c7659834f3e8eeb4868e3a9c01c769599
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
rlm_chap: Setting 'Auth-Type := CHAP'
modcall[authorize]: module "chap" returns ok for request 0
users: Matched entry 00123f0e996f at line 74
modcall[authorize]: module "files" returns ok for request 0
modcall: group authorize returns ok for request 0
rad_check_password: Found Auth-Type Local
auth: type Local
auth: user supplied CHAP-Password matches local User-Password
Login OK: [00123f0e996f/
Sending Access-Accept of id 45 to 145.238.3.182:1024
Service-Type = Framed-User
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = 802
Tunnel-Private-Group-Id:0 = "4"
Finished request 0
On the switch we can see:
- That the client is seen as authenticated
- But the port is still in VLAN 1 :-(
sw-test-radius-1# sh port-access mac-based 17
Authenticated Unauthenticated Current
Port Clients Clients VLAN ID
---- ------------- --------------- --------
17 1 0 1
^
|
|
Bad,
should be 4
On the other hand, when we connect a computer B, unknown by the
Radius, everything goes OK as expected:
- The client is seen as not authenticated
- he is allocated to the VLAN 301, the one by default for unknown clients
sw-test-radius-1# sh port-access mac-based 17
Authenticated Unauthenticated Current
Port Clients Clients VLAN ID
---- ------------- --------------- --------
17 0 1 301
For those who succeeded in making Radius-MAC work, do you have an idea
of why the switch does not put the port in the right VLAN?
thanks for your help,
====================================================================
Appendix
====================================================================
---------------------------------------------------------------------------
Radius : radiusd.conf
---------------------------------------------------------------------------
max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 1024
bind_address = *
port =1812
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions = yes
log_stripped_names = yes
log_auth = yes
log_auth_badpass = yes
log_auth_goodpass = yes
usercollide = no
lower_user = no
lower_pass = no
nospace_user = no
nospace_pass = no
checkrad = ${sbindir}/checkrad
proxy_requests = yes
$INCLUDE ${confdir}/clients.conf
modules {
pap {
encryption_scheme = crypt
}
chap {
authtype = CHAP
}
pam {
pam_auth = radiusd
}
unix {
cache = no
cache_reload = 600
radwtmp = ${logdir}/radwtmp
}
$INCLUDE ${confdir}/eap.conf
mschap {
authtype = MS-CHAP
}
checkval {
item-name = Calling-Station-Id
check-name = Calling-Station-Id
data-type = string
}
files {
usersfile = ${confdir}/users
acctusersfile = ${confdir}/acct_users
compat = no
}
instantiate {
exec
expr
}
authorize {
chap
files
}
authenticate {
Auth-Type CHAP {
chap
}
}
---------------------------------------------------------------------------
Radius : clients.conf
---------------------------------------------------------------------------
client 127.0.0.1 {
secret = testing
shortname = localhost
}
client 145.238.3.182 {
secret = test
shortname = swTest
}
---------------------------------------------------------------------------
Radius : users
---------------------------------------------------------------------------
00123f0e996f Auth-Type := Local , User-Password =="00123f0e996f"
Service-Type = Framed-User,
Tunnel-type = VLAN,
Tunnel-Medium-Type = 802,
Tunnel-Private-Group-ID =4
DEFAULT Auth-Type = System
Fall-Through = 1
DEFAULT Service-Type == Framed-User
Framed-IP-Address = 255.255.255.254,
Framed-MTU = 576,
Service-Type = Framed-User,
Fall-Through = Yes
DEFAULT Framed-Protocol == PPP
Framed-Protocol = PPP,
Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT Hint == "CSLIP"
Framed-Protocol = SLIP,
Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT Hint == "SLIP"
Framed-Protocol = SLIP
"testing" Auth-Type := Local , User-Password =="testing"
---------------------------------------------------------------------------
Switch
---------------------------------------------------------------------------
hostname "sw-test-radius-1"
interface 17
no lacp
exit
vlan 1
name "DEFAULT_VLAN"
untagged 1-26
ip address 145.238.3.182 255.255.0.0
exit
vlan 301
name "VISITEURS"
exit
vlan 4
name "TEST"
exit
radius-server dead-time 10
radius-server host 145.238.2.29 key test
aaa port-access mac-based 17
aaa port-access mac-based 17 unauth-vid 301
---------------------------------------------------------------------------
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-17-2007 04:30 PM
тАО09-17-2007 04:30 PM
Re: Procurve 2600 and Radius MAC VLAN affectation
All the configurations look fine to me, but i'm not sure if this has been tested before with Free Radius and 2600.
Have you tested with IAS or Steel-Builted Radius.
You can download an evaluation version of Steel-Builted Radius and test it.
https://www.juniper.net/webleads/leadsRegistration.do?_returnurl=http://www.juniper.net/customers/support/products/aaa_802/sbr_demo.jsp&_id=www.SBRFreeTrial&_enhanced=N&templateName=aaa_demo
Also, you can try your luck with WEB Authentication, and i think you need to change few commands on the switch then test it with WEB Auth.
Also you can use these commands after a successful MAC login on the switch:
show port-access mac-based
show port-access mac-based clients
show port-access mac-based config
show port-access mac-based config auth-server
show port-access mac-based config detail
Good Luck !!!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-17-2007 04:33 PM
тАО09-17-2007 04:33 PM
Re: Procurve 2600 and Radius MAC VLAN affectation
http://www.juniper.net/products_and_services/aaa_and_802_1x/steel_belted_radius/sbr_enterprise_edition/
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-20-2007 01:53 AM
тАО09-20-2007 01:53 AM
Re: Procurve 2600 and Radius MAC VLAN affectation
thank you for your responses.but when i put show vlans to switch interface i have this:
802.1Q VLAN ID Name Status Voice
-------------- ------------ ------------ -----
1 DEFAULT_VLAN Port-based No
4 TEST Port-based No
301 VISITEURS Port-based No
i don't know what is mean Port-based? and why it not dynamic? i put gvrp but status vlans no changes?
thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-02-2007 09:41 AM
тАО11-02-2007 09:41 AM
Re: Procurve 2600 and Radius MAC VLAN affectation
if you still have troubles with mac-based
VLAN assignment via RADIUS, I may have a solutions for your problem.
In your radius configuration you have the attribute Tunnel-Medium-Type supplied with a string 802, but the radius server converts this string to a number (because it exists only of numbers). Try to use the numeric type for the string 802 which should be 6. In my configuration this works fine. I'm using free-radius and a procurve 2626 with the actual firmware. Here is my configration:
Procurve:
; J4900B Configuration Editor; Created on release #H.10.45
hostname "ProCurve Switch 2626"
interface 1
no lacp
exit
interface 2
no lacp
exit
snmp-server community "public" Unrestricted
vlan 1
name "DEFAULT_VLAN"
untagged 3-26
ip address dhcp-bootp
no untagged 1-2
exit
vlan 10
name "VLAN10"
untagged 1-2
exit
gvrp
aaa authentication mac-based chap-radius authorized
aaa accounting update periodic 1
aaa accounting network start-stop radius
aaa accounting exec start-stop radius
aaa accounting system start-stop radius
aaa accounting commands stop-only radius
radius-server dead-time 30
radius-server timeout 10
radius-server retransmit 2
radius-server host 172.21.21.110 key procurve
aaa port-access mac-based 1-2
password manager
password operator
RADIUS Reply data:
('00508bcbd92e','Service-Type','=','Framed-User');
('00508bcbd92e','Tunnel-Type','=','VLAN');
('00508bcbd92e','Tunnel-Medium-Type','=','6');
('00508bcbd92e','Tunnel-Private-Group-ID','=','1');
(Sorry for the SQL format, I'm using freeradius with MySQL :-)
I have added the Port 2 statically to VLAN 10. I the client with the correct MAC address connects to this port, it moves to VLAN 1.
I hope this will help you!
Regards,
Wolfgang Ailec