- Community Home
- >
- Networking
- >
- Legacy
- >
- Switches, Hubs, Modems
- >
- Re: Wired 802.1x Authentication through HP Procurv...
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-16-2009 12:25 PM
тАО03-16-2009 12:25 PM
Wired 802.1x Authentication through HP Procurve 2650 to Cisco ACS 5.0
Authenticator - HP Procurve 2650 running H.10.74
Authentication Server - Cisco ACS 5.0 Appliance
Switch Configuration:
aaa authentication port-access eap-radius
radius-server timeout 15
radius-server host 10.60.20.33 key Sw1tch auth-port 1645 acct-port 1646
aaa port-access authenticator 2
aaa port-access authenticator active
I am able to successfully gain network access through a Cisco 3750 802.1x enabled switch. The ACS does not show any log entries for failed attempts when going through the HP switch.
Packet captures show that the HP switch is sending Radius access requests but the ACS is not responding. Can anyone confirm the configuration that I have provided for the switch? Both switch and ACS are configured to use EAP.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-16-2009 11:15 PM
тАО03-16-2009 11:15 PM
Re: Wired 802.1x Authentication through HP Procurve 2650 to Cisco ACS 5.0
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-17-2009 12:33 AM
тАО03-17-2009 12:33 AM
Re: Wired 802.1x Authentication through HP Procurve 2650 to Cisco ACS 5.0
also check if this acs is not listening on ports 1812/1813 instead of 1645/1646.
does the switch log reports anything?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-17-2009 04:44 AM
тАО03-17-2009 04:44 AM
Re: Wired 802.1x Authentication through HP Procurve 2650 to Cisco ACS 5.0
The switch logs report the following
I 03/17/09 12:37:47 ports: port 2 is Blocked by AAA
I 03/17/09 12:38:54 ports: port 2 is now off-line
I 03/17/09 12:38:57 ports: port 2 is Blocked by AAA
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-17-2009 05:43 AM
тАО03-17-2009 05:43 AM
Re: Wired 802.1x Authentication through HP Procurve 2650 to Cisco ACS 5.0
can you check if the command
"aaa port-access authenticator e < port-list > control auto"
is present in the switch config?
Where did you do the packet capture?
at the radius server port I assume?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-17-2009 07:42 AM
тАО03-17-2009 07:42 AM
Re: Wired 802.1x Authentication through HP Procurve 2650 to Cisco ACS 5.0
After entering "aaa port-access authenticator e < port-list > control auto" into the configuration, a show run only shows "aaa port-access authenticator e < port-list >". I'm guessing the "control auto" portion of that command is the default and hidden once entered.
I actually captured the data off of the switch. I setup up a mirror port to replicate traffic from the port where the host is attempting to authenticate and the sole uplink port on the switch to the rest of the network. The uplink port catches the conversation between the switch and the ACS.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-17-2009 08:02 AM
тАО03-17-2009 08:02 AM
Re: Wired 802.1x Authentication through HP Procurve 2650 to Cisco ACS 5.0
Please give more information about your network.
the adress of the radiusserver is known (10.60.20.33).
whats the adress of the switch?
is it in the same subnet?
What more devices are in this path from the switch to the ACS (maybe the 3750? maybe a router?).
Are there any access-lists active in the path to the ACS (and back)?
can you configure a monitor port on the destination switch with the port where the ACS is connected and capture data to see the sent requests arrive at the destination port?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-17-2009 09:42 AM
тАО03-17-2009 09:42 AM
Re: Wired 802.1x Authentication through HP Procurve 2650 to Cisco ACS 5.0
I have successfully tested 802.1x through a Cisco switch on the same level as the HP test switch. Traffic would have traversed the same core devices. No ACLs are in place that would have blocked this traffic.
Getting a capture off of the switch where the ACS is connected would take a bit of time.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-18-2009 01:22 AM
тАО03-18-2009 01:22 AM
Re: Wired 802.1x Authentication through HP Procurve 2650 to Cisco ACS 5.0
"authenticate using ....."(radius-cisco-ios, radius-cisco-pix, radius-IETF etc.)
did you try with different settings?
the "show radius host
displays some counters for requests/responses accept/reject, what's your output for :
- show authentication
- show radius authentication
- show radius host
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-18-2009 11:05 AM
тАО03-18-2009 11:05 AM
Re: Wired 802.1x Authentication through HP Procurve 2650 to Cisco ACS 5.0
Below is the output from the commands on the HP switch.
nycorp1acs-test# show authentication
Status and Counters - Authentication Information
Login Attempts : 3
Respect Privilege : Disabled
| Login Login Enable Enable
Access Task | Primary Secondary Primary Secondary
----------- + ---------- ---------- ---------- ----------
Console | Local None Local None
Telnet | Local None Local None
Port-Access | EapRadius None
Webui | Local None Local None
SSH | Local None Local None
Web-Auth | ChapRadius None
MAC-Auth | ChapRadius None
nycorp1acs-test# show radius authentication
Status and Counters - RADIUS Authentication Information
NAS Identifier : nycorp1acs-test
Invalid Server Addresses : 0
UDP
Server IP Addr Port Timeouts Requests Challenges Accepts Rejects
--------------- ----- ---------- ---------- ---------- ---------- ----------
10.60.20.33 1645 8 8 0 0 0
nycorp1acs-test# show radius host 10.60.20.33
Status and Counters - RADIUS Server Information
Server IP Addr : 10.60.20.33
Authentication UDP Port : 1645 Accounting UDP Port : 1646
Round Trip Time : 0 Round Trip Time : 0
Pending Requests : 0 Pending Requests : 0
Retransmissions : 8 Retransmissions : 0
Timeouts : 8 Timeouts : 0
Malformed Responses : 0 Malformed Responses : 0
Bad Authenticators : 0 Bad Authenticators : 0
Unknown Types : 0 Unknown Types : 0
Packets Dropped : 0 Packets Dropped : 0
Access Requests : 8 Accounting Requests : 0
Access Challenges : 0 Accounting Responses : 0
Access Accepts : 0
Access Rejects : 0