Switches, Hubs, and Modems
cancel
Showing results for 
Search instead for 
Did you mean: 

Procurve 2600 and Radius MAC VLAN affectation

Rachida El Hammoud
Occasional Visitor

Procurve 2600 and Radius MAC VLAN affectation

Hello,

We use Procurve 2600 series and would like to do VLAN affectation by Radius-MAC.

We have one difficulty: for a machine of address known MAC, the switch does not
place the port in the VLAN designated by the Radius server.

Does anybody on this forum succeeded to make a 2600 use
VLAN attributed by Radius-MAC authentication?

More details of our model and our problem:


- switch HP Procurve 2626 (IP 145.238.3.182)

- configuration in the appendix

- server FreeRadius 1.0.2 (IP 145.238.2.29)

- configurations in the annex
- radiusd.conf
- clients.conf
- users

- one computer A of MAC address: 00:01:03:04:1D:7F

- our source of information:

- Access Security Guide
ftp://ftp.hp.com/pub/networking/software/2600-2800-4100-6108-Security-Oct2005-59906024.pdf

- The switch is configured to do Radius-MAC auth on
port 17. The Radius is configured to put computer A in VLAN 4
(different from default VLAN 1).


By default, all ports belongs to VLAN 1. VLAN 4 and 301 are
declared, without any ports inside.

When connecting the computer A, radius' log shows that the client is
successfully authenticated and that we want him in VLAN 4.

rad_recv: Access-Request packet from host 145.238.3.182:1024, id=45, length=187
Framed-MTU = 1480
NAS-IP-Address = 145.238.3.182
NAS-Identifier = "sw-test-radius-1"
User-Name = "00123f0e996f"
Service-Type = Administrative-User
Framed-Protocol = PPP
NAS-Port = 17
NAS-Port-Type = Ethernet
NAS-Port-Id = "17"
Called-Station-Id = "00-14-38-fe-12-2f"
Calling-Station-Id = "00-12-3f-0e-99-6f"
Connect-Info = "CONNECT Ethernet 100Mbps Full duplex"
CHAP-Password = 0x2c7659834f3e8eeb4868e3a9c01c769599
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
rlm_chap: Setting 'Auth-Type := CHAP'
modcall[authorize]: module "chap" returns ok for request 0
users: Matched entry 00123f0e996f at line 74
modcall[authorize]: module "files" returns ok for request 0
modcall: group authorize returns ok for request 0
rad_check_password: Found Auth-Type Local
auth: type Local
auth: user supplied CHAP-Password matches local User-Password
Login OK: [00123f0e996f/] (from client swTest port 17 cli 00-12-3f-0e-99-6f)
Sending Access-Accept of id 45 to 145.238.3.182:1024
Service-Type = Framed-User
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = 802
Tunnel-Private-Group-Id:0 = "4"
Finished request 0


On the switch we can see:


- That the client is seen as authenticated

- But the port is still in VLAN 1 :-(

sw-test-radius-1# sh port-access mac-based 17

Authenticated Unauthenticated Current
Port Clients Clients VLAN ID
---- ------------- --------------- --------
17 1 0 1

^
|
|
Bad,
should be 4



On the other hand, when we connect a computer B, unknown by the
Radius, everything goes OK as expected:

- The client is seen as not authenticated

- he is allocated to the VLAN 301, the one by default for unknown clients

sw-test-radius-1# sh port-access mac-based 17

Authenticated Unauthenticated Current

Port Clients Clients VLAN ID

---- ------------- --------------- --------

17 0 1 301

For those who succeeded in making Radius-MAC work, do you have an idea
of why the switch does not put the port in the right VLAN?

thanks for your help,


====================================================================
Appendix
====================================================================

---------------------------------------------------------------------------
Radius : radiusd.conf
---------------------------------------------------------------------------

max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 1024
bind_address = *
port =1812
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions = yes
log_stripped_names = yes
log_auth = yes
log_auth_badpass = yes
log_auth_goodpass = yes
usercollide = no
lower_user = no
lower_pass = no
nospace_user = no
nospace_pass = no
checkrad = ${sbindir}/checkrad
proxy_requests = yes
$INCLUDE ${confdir}/clients.conf
modules {
pap {
encryption_scheme = crypt
}
chap {
authtype = CHAP
}
pam {
pam_auth = radiusd
}
unix {
cache = no
cache_reload = 600
radwtmp = ${logdir}/radwtmp
}
$INCLUDE ${confdir}/eap.conf
mschap {
authtype = MS-CHAP

}
checkval {
item-name = Calling-Station-Id
check-name = Calling-Station-Id
data-type = string
}

files {
usersfile = ${confdir}/users
acctusersfile = ${confdir}/acct_users
compat = no
}

instantiate {
exec
expr
}
authorize {

chap
files
}
authenticate {
Auth-Type CHAP {
chap
}
}


---------------------------------------------------------------------------
Radius : clients.conf
---------------------------------------------------------------------------

client 127.0.0.1 {
secret = testing
shortname = localhost
}
client 145.238.3.182 {
secret = test
shortname = swTest
}

---------------------------------------------------------------------------
Radius : users
---------------------------------------------------------------------------

00123f0e996f Auth-Type := Local , User-Password =="00123f0e996f"
Service-Type = Framed-User,
Tunnel-type = VLAN,
Tunnel-Medium-Type = 802,
Tunnel-Private-Group-ID =4
DEFAULT Auth-Type = System
Fall-Through = 1
DEFAULT Service-Type == Framed-User
Framed-IP-Address = 255.255.255.254,
Framed-MTU = 576,
Service-Type = Framed-User,
Fall-Through = Yes
DEFAULT Framed-Protocol == PPP
Framed-Protocol = PPP,
Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT Hint == "CSLIP"
Framed-Protocol = SLIP,
Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT Hint == "SLIP"
Framed-Protocol = SLIP
"testing" Auth-Type := Local , User-Password =="testing"


---------------------------------------------------------------------------
Switch
---------------------------------------------------------------------------

hostname "sw-test-radius-1"
interface 17
no lacp
exit
vlan 1
name "DEFAULT_VLAN"
untagged 1-26
ip address 145.238.3.182 255.255.0.0
exit
vlan 301
name "VISITEURS"
exit
vlan 4
name "TEST"
exit
radius-server dead-time 10
radius-server host 145.238.2.29 key test
aaa port-access mac-based 17
aaa port-access mac-based 17 unauth-vid 301

---------------------------------------------------------------------------
4 REPLIES
Mohieddin Kharnoub
Honored Contributor

Re: Procurve 2600 and Radius MAC VLAN affectation

Hi

All the configurations look fine to me, but i'm not sure if this has been tested before with Free Radius and 2600.

Have you tested with IAS or Steel-Builted Radius.

You can download an evaluation version of Steel-Builted Radius and test it.
https://www.juniper.net/webleads/leadsRegistration.do?_returnurl=http://www.juniper.net/customers/support/products/aaa_802/sbr_demo.jsp&_id=www.SBRFreeTrial&_enhanced=N&templateName=aaa_demo

Also, you can try your luck with WEB Authentication, and i think you need to change few commands on the switch then test it with WEB Auth.

Also you can use these commands after a successful MAC login on the switch:

show port-access mac-based
show port-access mac-based clients
show port-access mac-based config
show port-access mac-based config auth-server
show port-access mac-based config detail

Good Luck !!!

Science for Everyone
Mohieddin Kharnoub
Honored Contributor

Re: Procurve 2600 and Radius MAC VLAN affectation

Rachida El Hammoud
Occasional Visitor

Re: Procurve 2600 and Radius MAC VLAN affectation

Hello,

thank you for your responses.but when i put show vlans to switch interface i have this:

802.1Q VLAN ID Name Status Voice
-------------- ------------ ------------ -----
1 DEFAULT_VLAN Port-based No
4 TEST Port-based No
301 VISITEURS Port-based No

i don't know what is mean Port-based? and why it not dynamic? i put gvrp but status vlans no changes?

thanks
Wolfgang Ailec
Occasional Visitor

Re: Procurve 2600 and Radius MAC VLAN affectation

Hello there,
if you still have troubles with mac-based
VLAN assignment via RADIUS, I may have a solutions for your problem.
In your radius configuration you have the attribute Tunnel-Medium-Type supplied with a string 802, but the radius server converts this string to a number (because it exists only of numbers). Try to use the numeric type for the string 802 which should be 6. In my configuration this works fine. I'm using free-radius and a procurve 2626 with the actual firmware. Here is my configration:

Procurve:
; J4900B Configuration Editor; Created on release #H.10.45

hostname "ProCurve Switch 2626"
interface 1
no lacp
exit
interface 2
no lacp
exit
snmp-server community "public" Unrestricted
vlan 1
name "DEFAULT_VLAN"
untagged 3-26
ip address dhcp-bootp
no untagged 1-2
exit
vlan 10
name "VLAN10"
untagged 1-2
exit
gvrp
aaa authentication mac-based chap-radius authorized
aaa accounting update periodic 1
aaa accounting network start-stop radius
aaa accounting exec start-stop radius
aaa accounting system start-stop radius
aaa accounting commands stop-only radius
radius-server dead-time 30
radius-server timeout 10
radius-server retransmit 2
radius-server host 172.21.21.110 key procurve
aaa port-access mac-based 1-2
password manager
password operator

RADIUS Reply data:
('00508bcbd92e','Service-Type','=','Framed-User');
('00508bcbd92e','Tunnel-Type','=','VLAN');
('00508bcbd92e','Tunnel-Medium-Type','=','6');
('00508bcbd92e','Tunnel-Private-Group-ID','=','1');

(Sorry for the SQL format, I'm using freeradius with MySQL :-)
I have added the Port 2 statically to VLAN 10. I the client with the correct MAC address connects to this port, it moves to VLAN 1.

I hope this will help you!

Regards,
Wolfgang Ailec