Switches, Hubs, and Modems
cancel
Showing results for 
Search instead for 
Did you mean: 

Procurve Edge Configuration - 802.1X

:a:k:t:
Occasional Visitor

Procurve Edge Configuration - 802.1X

Hello everyone,

we're evaluating migration to 802.1X port access.

Authentication with supplicants and RADIUS host on same/CORE-switch works. So far so good..

When using an EDGE-switch (not directly connected to RADIUS host; also usually configured for RADIUS-host), the RADIUS-communication is incomplete:
Access request (switch) -> Access challenge (RADIUS) -> Access Request#2 (switch) -> Fragmented IP Protocol (RADIUS)

Tried different configuration-settings and manual-hints now, without success. Im stuck.

Any ideas?

Best regards
9 REPLIES
cenk sasmaztin
Honored Contributor

Re: Procurve Edge Configuration - 802.1X

each switch port able 32 client 802.1x authentication so each 24 port switch (non802.1x confuration)must connect to core switch
possible one radius client(authenticator)with core switch

but*******unadvisable this configuration method
because
network authentication and authorization process must be proximate switch point (edge switch) when I make 802.1x config usually use for authenticator edge switch petty edge switch bucause all end user must connect on edge switch core switch usually for server and other switch connection
my advice you can make traditional 802.1x confuration
cenk

cenk sasmaztin
Honored Contributor

Re: Procurve Edge Configuration - 802.1X

Matt Hobbs
Honored Contributor

Re: Procurve Edge Configuration - 802.1X

Which switch model are your edge switches? Make sure your firmware is up to date. Also if you have jumbo frames enabled (2900 or 3500 maybe) try disabling it. I worked on an issue in the past with jumbo frames causing a similar issue and it has been resolved in the latest firmware releases.
:a:k:t:
Occasional Visitor

Re: Procurve Edge Configuration - 802.1X

Thanks a lot for your ideas an experiences!

I will try them asap, now after the holidays.

Best regards
:a:k:t:
Occasional Visitor

Re: Procurve Edge Configuration - 802.1X

By the way..we're using HP2848 or/and 3400cl as EDGE-Switches.
:a:k:t:
Occasional Visitor

Re: Procurve Edge Configuration - 802.1X

Tried the vlan configuration posted with the same result -> interrupt in communication.

I looked at the data that is sent with the Fragmented IP Protocol paket.. seems like it contains the RADIUS-ceritifcate.

Anyone got an idea, why this RADIUS-paket is invalid when sended to/over another switch?

Thanks in advance!

Config-example:

interface 4
no lacp
exit
aaa authentication port-access eap-radius
radius-server host 192.168.1.x key x
aaa port-access authenticator 4
aaa port-access authenticator active

Used: PEAP-MS-CHAP v2
Lei.Ma
Frequent Advisor

Re: Procurve Edge Configuration - 802.1X

To Dear Matt Hobbs ,

what is your new email address ? could you send me a test email to ray.ma7@gmail.com :)

Thanks
Lei.Ma
Frequent Advisor

Re: Procurve Edge Configuration - 802.1X

not familar with your software. (Fragmented IP Protocol )

but i need to point out something.
1,need the port for radius authentication.

for example.
aaa authentication port-access chap-radius
radius-server key 1234
radius-server host 192.168.1.100 key 1234
aaa port-access authenticator 12
aaa port-access authenticator 12 control authorized
aaa port-access authenticator active

this is used the default radius port. if your radius server used other port, please changed it.

verify using show radius command
default UDP port is 1813, this can be changed using:
radius-server host acct-port



2, for EAP radius, what type EAP portol you want to used? if for EAP-MD5 it should be ok.

if used EAP-PEAP or EAP-fast or EAP-TTLS you all need the CA for certificate(root certificate)

that what i am understanding, i used to config the Wi-Fi with EAP-TTLS, EAP-Fast, EAP-PEAP, for switch side, i tested the chap-radius and EAP-radius for (MD-challenge).


Lei.Ma
Frequent Advisor

Re: Procurve Edge Configuration - 802.1X

sorry, check your message again. looks like there is some 802.1x authentication through out issue.

What about your edge switch ? from your core switch you setup the radius authentication but not for your edge switch ? right ?

for my experience, if i was you, i will setup the radius authentication in edge switch.

and do we have the similar command like cisco

ip radius source-interface Vlan2002 ?
have a try.