Switches, Hubs, and Modems
cancel
Showing results for 
Search instead for 
Did you mean: 

Procurve 802.1X question (wired network)

procurve_1
Occasional Visitor

Procurve 802.1X question (wired network)

Hello,
I'm developing a NAC solution in a network using Procurve 2650 as Radius Client, IAS as Radius Server and Windows XP as supplicant.

I'm using an old firmware version (due to company needs), almost of 1 year ago.

My main question is: I have verified than when the switch opens a port because a client was successfully logged in to Radius, the port become open for everyone; so if I have more clients connected to one port, I can't control each of them in a separate way, I can only have my switch port open or closed.
Does exist a way to manage clients authentication separately for each of them?

Other problems are related to authentication protocols: I tried every protocols available between XP client and IAS: CHAP, EAP with digital certificates issued by server via AD, etc... but none of them working, I always have differents errors like:
The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server
or this:
The user attempted to use an authentication method that is not enabled on the matching remote access policy.

and some more, but I followed step by step the microsoft guide (http://www.microsoft.com/DOWNLOADS/details.aspx?familyid=05951071-6B20-4CEF-9939-47C397FFD3DD&displaylang=en) or others good guides like this: http://alextch.members.winisp.net/802.1x/Defending%20your%20internal%20network%20with%20802.1x%20and%20Microsoft%20PKI.htm

Could the problem be related to the old firmware version or are the microsoft and others guides mistaken?

Thank you
4 REPLIES

Re: Procurve 802.1X question (wired network)

My main question is: I have verified than when the switch opens a port because a client was successfully logged in to Radius, the port become open for everyone.

---

port-security learn-mode port-access

Will only allow the switch to pass traffic from authenticated clients.

Though I have to warn you running multiple clients on an 802.1X authenticated port is inherently insecure and limited in terms of dynamic assignment.
procurve_1
Occasional Visitor

Re: Procurve 802.1X question (wired network)

Thank you for your reply,
I've upgrade firmware and verified that the problem was related to its old version.
Now, with the latest version, I can login correctly also using PEAP.

Your suggestion is really useful, because I'm studying documentation in order to learn how to have a session control; in fact I want to have multiple clients connected to one port and prevent access to unauthorized pc.

I have verified that with more than 1 client connected to one port when one of them logon succesfully the port become open for everyone.

How can I control this situation?

Thank you

Re: Procurve 802.1X question (wired network)

Use the port-security commands mentioned above, and set a client-limit on the port-access authenticator.

aaa port-access authenticator client-limit 1

Re: Procurve 802.1X question (wired network)

Sorry mis-read. The above post will only allow 1 client to connect.


By enabling port-security in the way I suggested, you're limiting access to clients that have managed to authenticate.

Traffic for unauthenticated clients should not be forwarded by the switch, and traffic will not be forwarded towards an unauthenticated client by the switch.

This will not prevent unauthenticated devices attacking or snooping on any devices downstream of the 802.1X authenticated port.