- Community Home
- >
- Networking
- >
- Legacy
- >
- Switches, Hubs, Modems
- >
- Re: (Vendor) MAC Address Check before 802.1x Authe...
Switches, Hubs, and Modems
1752717
Members
5769
Online
108789
Solutions
Forums
Categories
Company
Local Language
юдл
back
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
юдл
back
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Blogs
Information
Community
Resources
Community Language
Language
Forums
Blogs
Topic Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-05-2009 11:05 PM
тАО10-05-2009 11:05 PM
(Vendor) MAC Address Check before 802.1x Authentification
Hello everyone,
is it possible to configure a list of MAC addresses (or even a regular expression for a whole vendor) for authentification on a port which also has RADIUS authentification ?
So if the MAC address auth passed it doesn't try the radius authentification ?
Problem is: I have IP phones and printers as well as many clients in one location. What i don't want to do is find out on which port every single ip phone or printer is located and disable the radius authentification on these ports.
What would be the best solution (if possible):
The switches have a list of the allowed mac addresses (or the regular expression) and if a client connects with that mac address it automatically gets VLAN1 if not it tries to authenticate and then gets access or not.
Backend RADIUS server is IAS from MS. Is there a possible solution to find for this problem ?
Greets
Stephan
is it possible to configure a list of MAC addresses (or even a regular expression for a whole vendor) for authentification on a port which also has RADIUS authentification ?
So if the MAC address auth passed it doesn't try the radius authentification ?
Problem is: I have IP phones and printers as well as many clients in one location. What i don't want to do is find out on which port every single ip phone or printer is located and disable the radius authentification on these ports.
What would be the best solution (if possible):
The switches have a list of the allowed mac addresses (or the regular expression) and if a client connects with that mac address it automatically gets VLAN1 if not it tries to authenticate and then gets access or not.
Backend RADIUS server is IAS from MS. Is there a possible solution to find for this problem ?
Greets
Stephan
6 REPLIES 6
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-07-2009 12:13 AM
тАО10-07-2009 12:13 AM
Re: (Vendor) MAC Address Check before 802.1x Authentification
from "2900 ASG" (access and security guide):
Syntax: aaa port-access mac-based [e] < port-list > [addr-limit <1-32>]
Specifies the maximum number of authenticated
MACs to allow on the port. (Default: 1)
Note: On switches where MAC Auth and 802.1X can operate concurrently, this limit includes the total number of clients authenticated through both methods.
So some switches can use mixed MAC Auth and 802.1x!
Look for the access and security guide for the model you use.
Syntax: aaa port-access mac-based [e] < port-list > [addr-limit <1-32>]
Specifies the maximum number of authenticated
MACs to allow on the port. (Default: 1)
Note: On switches where MAC Auth and 802.1X can operate concurrently, this limit includes the total number of clients authenticated through both methods.
So some switches can use mixed MAC Auth and 802.1x!
Look for the access and security guide for the model you use.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-07-2009 03:49 AM
тАО10-07-2009 03:49 AM
Re: (Vendor) MAC Address Check before 802.1x Authentification
Thanks for the answer.
But can you tell me what is best practice ? Separating Voice and Data is best practice afaik.
But i also can configure username/password on the telephones so i could achieve the authentication part with IAS. (and also the VLAN assignment)
In the end i want 3 VLANs. 1 for the employees.1 for the ip phones. 1 for the guest. (if this is best practice ;) )
Problem at the moment is i'm working with unauth-vid so that not authorized ip phones will end up in my guest VLAN.
But can you tell me what is best practice ? Separating Voice and Data is best practice afaik.
But i also can configure username/password on the telephones so i could achieve the authentication part with IAS. (and also the VLAN assignment)
In the end i want 3 VLANs. 1 for the employees.1 for the ip phones. 1 for the guest. (if this is best practice ;) )
Problem at the moment is i'm working with unauth-vid so that not authorized ip phones will end up in my guest VLAN.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-19-2009 05:32 AM
тАО10-19-2009 05:32 AM
Re: (Vendor) MAC Address Check before 802.1x Authentification
Ok i configured it like you said.
Problem is: although it can autenticate against the IAS it gets no ip or the incorrect vlan (unauth-vid).
config:
Running configuration:
; J4900A Configuration Editor; Created on release #H.10.74
hostname "HUB-35"
snmp-server contact "gas"
time timezone 120
interface 4
no lacp
exit
interface 5
no lacp
exit
ip default-gateway 172.20.20.101
sntp server 172.20.20.1
timesync sntp
sntp unicast
snmp-server community "public" Unrestricted
vlan 1
name "DEFAULT_VLAN"
untagged 1-26
ip address 172.20.20.127 255.255.252.0
exit
vlan 99
name "unauth"
no ip address
tagged 1
exit
gvrp
aaa authentication port-access eap-radius authorized
radius-server key goh2hu9nowgfjiop$
radius-server host 172.20.20.1
aaa port-access authenticator 4
aaa port-access authenticator 4 unauth-vid 99
aaa port-access authenticator active
aaa port-access mac-based 4
spanning-tree
password manager
IAS Config:
3 RAS policies (in this order)
LAN Auth (against AD with domain computer/user)
Wired MD5 Auth (against AD with mac address)
WLAN Auth (against AD with domain computer/user)
So i thought when i attach an ip phones it goes:
Rule 1 denied
Rule 2 allowed -> default_vlan
I also can see in eventlog that the ip phone is authorized.
But when i look at the vlan it either
Port mode unknown vlan status
4 WEBMAC Learn Down
or it's in my unauth-vid and only can connect to the internet ;)
Why is the status down when it is authorized ?
Greets
Stephan
Problem is: although it can autenticate against the IAS it gets no ip or the incorrect vlan (unauth-vid).
config:
Running configuration:
; J4900A Configuration Editor; Created on release #H.10.74
hostname "HUB-35"
snmp-server contact "gas"
time timezone 120
interface 4
no lacp
exit
interface 5
no lacp
exit
ip default-gateway 172.20.20.101
sntp server 172.20.20.1
timesync sntp
sntp unicast
snmp-server community "public" Unrestricted
vlan 1
name "DEFAULT_VLAN"
untagged 1-26
ip address 172.20.20.127 255.255.252.0
exit
vlan 99
name "unauth"
no ip address
tagged 1
exit
gvrp
aaa authentication port-access eap-radius authorized
radius-server key goh2hu9nowgfjiop$
radius-server host 172.20.20.1
aaa port-access authenticator 4
aaa port-access authenticator 4 unauth-vid 99
aaa port-access authenticator active
aaa port-access mac-based 4
spanning-tree
password manager
IAS Config:
3 RAS policies (in this order)
LAN Auth (against AD with domain computer/user)
Wired MD5 Auth (against AD with mac address)
WLAN Auth (against AD with domain computer/user)
So i thought when i attach an ip phones it goes:
Rule 1 denied
Rule 2 allowed -> default_vlan
I also can see in eventlog that the ip phone is authorized.
But when i look at the vlan it either
Port mode unknown vlan status
4 WEBMAC Learn Down
or it's in my unauth-vid and only can connect to the internet ;)
Why is the status down when it is authorized ?
Greets
Stephan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-26-2009 01:41 AM
тАО10-26-2009 01:41 AM
Re: (Vendor) MAC Address Check before 802.1x Authentification
I think you go wrong with the policies.
The policies must not "overlap".
eg policy-1 is for PAP and CHAP and policy-2 is for EAP.
The policy matching the request characteristics is applied, not all policies until "authorized".
So when rejected, no other policy is tried.
In the eventlog does it really say "authenticated" (username matches password) or "authorized" (access allowed)?
Pieter
The policies must not "overlap".
eg policy-1 is for PAP and CHAP and policy-2 is for EAP.
The policy matching the request characteristics is applied, not all policies until "authorized".
So when rejected, no other policy is tried.
In the eventlog does it really say "authenticated" (username matches password) or "authorized" (access allowed)?
Pieter
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-26-2009 01:58 AM
тАО10-26-2009 01:58 AM
Re: (Vendor) MAC Address Check before 802.1x Authentification
If i understand it right:
When one policy doesn't match the port is closed ? But that's a big problem when it comes to different clients.
A notebook authenticates itself with the domain user.
A ip phone authenticates with mac adress.
I can't generate a mac user for every notebook.
Policy 1 is PEAP
Policy 2 is CHAP
So i thought when PEAP is rejected it tries CHAP. But it seems that it doesn't work that way.
I will have to work with certificates for the IP phones. But no experience with this here.
In eventlog it says:
Benutzer "" wurde Zugriff gew├Г┬дhrt.
Which means that network access is allowed. Policy 1 isn't used because the IP phone doesn't deliver username/password.
Greets
Stephan
When one policy doesn't match the port is closed ? But that's a big problem when it comes to different clients.
A notebook authenticates itself with the domain user.
A ip phone authenticates with mac adress.
I can't generate a mac user for every notebook.
Policy 1 is PEAP
Policy 2 is CHAP
So i thought when PEAP is rejected it tries CHAP. But it seems that it doesn't work that way.
I will have to work with certificates for the IP phones. But no experience with this here.
In eventlog it says:
Benutzer "
Which means that network access is allowed. Policy 1 isn't used because the IP phone doesn't deliver username/password.
Greets
Stephan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-26-2009 03:00 AM
тАО10-26-2009 03:00 AM
Re: (Vendor) MAC Address Check before 802.1x Authentification
>>>
Policy 1 is PEAP
Policy 2 is CHAP
So i thought when PEAP is rejected it tries CHAP. But it seems that it doesn't work that way.
<<<
If you enable PEAP and disable CHAP in policy-1
and disable PEAP and enable CHAP in policy-2.
Then it works as you want, but not in the way you describe it.
CHAP is not rejected in policy-1, but the request doesn't match the policy characteristics; so the policy is not applied and the next policy is checked for a match (of characteristics, not authentication/authorization).
If policy-2 does apply then the authentication/authorization is verified
and acces is granted or denied.
Policy 1 is PEAP
Policy 2 is CHAP
So i thought when PEAP is rejected it tries CHAP. But it seems that it doesn't work that way.
<<<
If you enable PEAP and disable CHAP in policy-1
and disable PEAP and enable CHAP in policy-2.
Then it works as you want, but not in the way you describe it.
CHAP is not rejected in policy-1, but the request doesn't match the policy characteristics; so the policy is not applied and the next policy is checked for a match (of characteristics, not authentication/authorization).
If policy-2 does apply then the authentication/authorization is verified
and acces is granted or denied.
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.
News and Events
Support
© Copyright 2024 Hewlett Packard Enterprise Development LP