HPE Community
Switches, Hubs, and Modems
1752291 Members
5094 Online
108786 Solutions
New Discussion юеВ

Re: Wired 802.1x Authentication through HP Procurve 2650 to Cisco ACS 5.0

 
Rob Mengert
Occasional Advisor

тАО03-16-2009 12:25 PM

тАО03-16-2009 12:25 PM

Wired 802.1x Authentication through HP Procurve 2650 to Cisco ACS 5.0

Supplicant - Microsoft XP SP3 built in supplicant

Authenticator - HP Procurve 2650 running H.10.74

Authentication Server - Cisco ACS 5.0 Appliance

Switch Configuration:
aaa authentication port-access eap-radius
radius-server timeout 15
radius-server host 10.60.20.33 key Sw1tch auth-port 1645 acct-port 1646
aaa port-access authenticator 2
aaa port-access authenticator active

I am able to successfully gain network access through a Cisco 3750 802.1x enabled switch. The ACS does not show any log entries for failed attempts when going through the HP switch.

Packet captures show that the HP switch is sending Radius access requests but the ACS is not responding. Can anyone confirm the configuration that I have provided for the switch? Both switch and ACS are configured to use EAP.
0 Kudos
19 REPLIES 19
Sietze Reitsma
Respected Contributor

тАО03-16-2009 11:15 PM

тАО03-16-2009 11:15 PM

Re: Wired 802.1x Authentication through HP Procurve 2650 to Cisco ACS 5.0

I do not know ACS, but maybe you need to add the switch in the ACS.
0 Kudos
Pieter 't Hart
Honored Contributor

тАО03-17-2009 12:33 AM

тАО03-17-2009 12:33 AM

Re: Wired 802.1x Authentication through HP Procurve 2650 to Cisco ACS 5.0

like Sietze points out you must add the switch as radius client to the acs.
also check if this acs is not listening on ports 1812/1813 instead of 1645/1646.

does the switch log reports anything?
0 Kudos
Rob Mengert
Occasional Advisor

тАО03-17-2009 04:44 AM

тАО03-17-2009 04:44 AM

Re: Wired 802.1x Authentication through HP Procurve 2650 to Cisco ACS 5.0

The switch was configured as a Radius client within ACS with the proper Radius key.

The switch logs report the following

I 03/17/09 12:37:47 ports: port 2 is Blocked by AAA
I 03/17/09 12:38:54 ports: port 2 is now off-line
I 03/17/09 12:38:57 ports: port 2 is Blocked by AAA
0 Kudos
Pieter 't Hart
Honored Contributor

тАО03-17-2009 05:43 AM

тАО03-17-2009 05:43 AM

Re: Wired 802.1x Authentication through HP Procurve 2650 to Cisco ACS 5.0

So on the switch you get the "Blocked" message, but no corresponding entry in the "failed" report on the ACS?

can you check if the command
"aaa port-access authenticator e < port-list > control auto"
is present in the switch config?

Where did you do the packet capture?
at the radius server port I assume?
0 Kudos
Rob Mengert
Occasional Advisor

тАО03-17-2009 07:42 AM

тАО03-17-2009 07:42 AM

Re: Wired 802.1x Authentication through HP Procurve 2650 to Cisco ACS 5.0

Correct, the switch puts the port in a blocked state but the ACS doesn't log anything regarding the authentication attempt.

After entering "aaa port-access authenticator e < port-list > control auto" into the configuration, a show run only shows "aaa port-access authenticator e < port-list >". I'm guessing the "control auto" portion of that command is the default and hidden once entered.

I actually captured the data off of the switch. I setup up a mirror port to replicate traffic from the port where the host is attempting to authenticate and the sole uplink port on the switch to the rest of the network. The uplink port catches the conversation between the switch and the ACS.
0 Kudos
Pieter 't Hart
Honored Contributor

тАО03-17-2009 08:02 AM

тАО03-17-2009 08:02 AM

Re: Wired 802.1x Authentication through HP Procurve 2650 to Cisco ACS 5.0

I assume you have verified you can "ping" the ACS from the switch, and from the ACS to the switch.

Please give more information about your network.
the adress of the radiusserver is known (10.60.20.33).
whats the adress of the switch?
is it in the same subnet?
What more devices are in this path from the switch to the ACS (maybe the 3750? maybe a router?).
Are there any access-lists active in the path to the ACS (and back)?

can you configure a monitor port on the destination switch with the port where the ACS is connected and capture data to see the sent requests arrive at the destination port?
0 Kudos
Rob Mengert
Occasional Advisor

тАО03-17-2009 09:42 AM

тАО03-17-2009 09:42 AM

Re: Wired 802.1x Authentication through HP Procurve 2650 to Cisco ACS 5.0

The switch can ping the ACS. The test switch I am using to test 802.1x hangs off of a user access switch on our network (also an HP 2650). The user access switch connects to a Cisco 3750 core switch which is where the ACS is connected. The ACS is on a different VLAN so traffic will flow up to the Cisco 7200 series core router on our network.

I have successfully tested 802.1x through a Cisco switch on the same level as the HP test switch. Traffic would have traversed the same core devices. No ACLs are in place that would have blocked this traffic.

Getting a capture off of the switch where the ACS is connected would take a bit of time.
0 Kudos
Pieter 't Hart
Honored Contributor

тАО03-18-2009 01:22 AM

тАО03-18-2009 01:22 AM

Re: Wired 802.1x Authentication through HP Procurve 2650 to Cisco ACS 5.0

In the ACS you can configure the radius-client as different radius-dialect's
"authenticate using ....."(radius-cisco-ios, radius-cisco-pix, radius-IETF etc.)
did you try with different settings?

the "show radius host " command,
displays some counters for requests/responses accept/reject, what's your output for :
- show authentication
- show radius authentication
- show radius host
0 Kudos
Rob Mengert
Occasional Advisor

тАО03-18-2009 11:05 AM

тАО03-18-2009 11:05 AM

Re: Wired 802.1x Authentication through HP Procurve 2650 to Cisco ACS 5.0

I can change what identity store is used to authenticate the user(LDAP, AD, etc...) and I can change the EAP type embedded in the Radius conversation. The ACS supports EAP types EAP-MSCHAPv2, EAP-TLS, and EAP-MD5. I have tried several different permutations without success. I can use attributes passed in an Access Request to make a decision or pass attributes back to the client from the ACS. I'm not quite sure what you are referring to as far as Radius dialects are concerned.

Below is the output from the commands on the HP switch.

nycorp1acs-test# show authentication

Status and Counters - Authentication Information

Login Attempts : 3
Respect Privilege : Disabled

| Login Login Enable Enable
Access Task | Primary Secondary Primary Secondary
----------- + ---------- ---------- ---------- ----------
Console | Local None Local None
Telnet | Local None Local None
Port-Access | EapRadius None
Webui | Local None Local None
SSH | Local None Local None
Web-Auth | ChapRadius None
MAC-Auth | ChapRadius None


nycorp1acs-test# show radius authentication

Status and Counters - RADIUS Authentication Information

NAS Identifier : nycorp1acs-test
Invalid Server Addresses : 0

UDP
Server IP Addr Port Timeouts Requests Challenges Accepts Rejects
--------------- ----- ---------- ---------- ---------- ---------- ----------
10.60.20.33 1645 8 8 0 0 0


nycorp1acs-test# show radius host 10.60.20.33

Status and Counters - RADIUS Server Information


Server IP Addr : 10.60.20.33

Authentication UDP Port : 1645 Accounting UDP Port : 1646
Round Trip Time : 0 Round Trip Time : 0
Pending Requests : 0 Pending Requests : 0
Retransmissions : 8 Retransmissions : 0
Timeouts : 8 Timeouts : 0
Malformed Responses : 0 Malformed Responses : 0
Bad Authenticators : 0 Bad Authenticators : 0
Unknown Types : 0 Unknown Types : 0
Packets Dropped : 0 Packets Dropped : 0
Access Requests : 8 Accounting Requests : 0
Access Challenges : 0 Accounting Responses : 0
Access Accepts : 0
Access Rejects : 0
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.