HPE Community
Switches, Hubs, and Modems
1753359 Members
6510 Online
108792 Solutions
New Discussion юеВ

Securing access using 802.1x

 
SOLVED
Go to solution
Tony Barrett_2
Frequent Advisor

тАО04-05-2006 12:43 AM

тАО04-05-2006 12:43 AM

Securing access using 802.1x

I am looking to secure access to one of our networks using 802.1x port authentication. The network is Windows 2003 Active Directory, and I'm using the MS IAS RADIUS server.

The switches in question are ProCurve 2626, 2650 and 5300 series.

I've read as much documentation as I can find, but the HP manuals don't seem to really cover port based authentication to RADIUS/AD.

All switches use the DEFAULT_VLAN, and I'm not (initially) looking to put clients into VLAN's in the IAS access policy.

The test I'm trying at the moment involves one Win2k host with the MS 802.1x client. It is connected to Port 5 on a 2626 switch. The switch is now configured (as best as I can tell) to request 802.1x authentication from the IAS server, which is accessible to the switch (over IP) and is plugged into port 7.

The AAA/RADIUS config entered into the switch is;

aaa authentication num-attempts 5
aaa authentication port-access eap-radius
radius-server dead-time 5
radius-server host key
aaa port-access authenticator active
aaa port-access supplicant 5

I want the clients (2k/XP) to authenticate using PEAP and certicates from our local CA.

When the Win2k client is switched on, it connects fine to the network. When I check the status on the switch, I see nothing that would indicate 802.1x authentication has been used against the IAS server.

'show port-acc auth' displays nothing
'show port-acc supplicant' says that port 5 is authenticated, but the IAS server is showing no connection from the switch (it's configured to log all activity).
'sh auth' shows that the primary login type for port-access *is* EapRadius
'sh vlan 1' says the port Mode is 'untagged' and 'up', but does now show it has been authenticated using 802.1x

The switch log shows nothing for port 5 other than 'offline' then 'online'. I've also tried turning of LACP on port 5, but no change.

I'm missing something here, but I can't see what!
0 Kudos
4 REPLIES 4
Matt Hobbs
Honored Contributor

тАО04-05-2006 01:28 AM

тАО04-05-2006 01:28 AM

Solution

Re: Securing access using 802.1x

Hi Tony,

I think you need to have your port 5 as an authenticator and not a supplicant:

aaa port-access authenticator 5

Supplicant is used to authenticate switch to switch 802.1x connections.

Everything else looks about right.

I found this document handy for configuring the 2003 side of 802.1x in the past:

http://www.foundrynet.com/solutions/appNotes/PDFs/8021xAuthenticationWithActiveDirectory.pdf
Tony Barrett_2
Frequent Advisor

тАО04-05-2006 03:41 AM

тАО04-05-2006 03:41 AM

Re: Securing access using 802.1x

Thanks Matt. I've changed the setting, and can now see the requests hitting the RADIUS server from the switch. I should be able to troubleshoot the connectivity from here.

I've set up an entire wireless network using 802.1x/EAP/RADIUS, but I guess I just misread the HP command line help on the subject.
0 Kudos
Sergej Gurenko
Trusted Contributor

тАО04-05-2006 09:40 PM

тАО04-05-2006 09:40 PM

Re: Securing access using 802.1x

Use Windows 2003 Event Viewer for IAS messages. They are very informative. If you did not see any, that mean that RRAS is locking IAS ports. Uninstall RRAS and try one more time.

You can use additional utility "iasparse" to monitor logs in real time from CLI
0 Kudos
Gary Yates
New Member

тАО04-06-2006 01:16 AM

тАО04-06-2006 01:16 AM

Re: Securing access using 802.1x

When debugging a similar configuration with IAS, I found the following tool very useful when looking at IAS logs.

http://www.deepsoftware.com/iasviewer/
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.