HPE Community
Switches, Hubs, and Modems
1753524 Members
5584 Online
108795 Solutions
New Discussion юеВ

Re: Wired 802.1x Authentication through HP Procurve 2650 to Cisco ACS 5.0

 
cenk sasmaztin
Honored Contributor

тАО03-18-2009 11:55 AM

тАО03-18-2009 11:55 AM

Re: Wired 802.1x Authentication through HP Procurve 2650 to Cisco ACS 5.0

can you check MTU size on ACS device network interface
cenk

0 Kudos
cenk sasmaztin
Honored Contributor

тАО03-18-2009 11:59 AM

тАО03-18-2009 11:59 AM

Re: Wired 802.1x Authentication through HP Procurve 2650 to Cisco ACS 5.0

please say me result
cenk

0 Kudos
Rob Mengert
Occasional Advisor

тАО03-18-2009 12:02 PM

тАО03-18-2009 12:02 PM

Re: Wired 802.1x Authentication through HP Procurve 2650 to Cisco ACS 5.0

The ACS is connected on a GigEthernet port, MTU is 1500 bytes. That shouldn't make a difference.
0 Kudos
cenk sasmaztin
Honored Contributor

тАО03-18-2009 12:04 PM

тАО03-18-2009 12:04 PM

Re: Wired 802.1x Authentication through HP Procurve 2650 to Cisco ACS 5.0

ok please test for me

hp switch return image H_10_50 and retest with same config
cenk

0 Kudos
cenk sasmaztin
Honored Contributor

тАО03-18-2009 12:21 PM

тАО03-18-2009 12:21 PM

Re: Wired 802.1x Authentication through HP Procurve 2650 to Cisco ACS 5.0


5400 switch 13_10 software with resolve this problem

RADIUS (0000001164) ├в The switch drops RADIUS messages with EAP-packets larger
than 1496 bytes

may be same proble 10_74

please return 10_50 and test same config
cenk

0 Kudos
cenk sasmaztin
Honored Contributor

тАО03-18-2009 12:26 PM

тАО03-18-2009 12:26 PM

Re: Wired 802.1x Authentication through HP Procurve 2650 to Cisco ACS 5.0

or you can change MTU size cisco device

for example 1400 byte

and retest with 10_74
cenk

0 Kudos
Rob Mengert
Occasional Advisor

тАО03-18-2009 12:33 PM

тАО03-18-2009 12:33 PM

Re: Wired 802.1x Authentication through HP Procurve 2650 to Cisco ACS 5.0

I loaded h.10.50, still seeing the same behavior.

nycorp1acs-test# show ver
Image stamp: /sw/code/build/fish(mkfs)
Oct 9 2007 15:00:51
H.10.50
359
Boot Image: Primary
0 Kudos
Rob Mengert
Occasional Advisor

тАО03-18-2009 12:50 PM

тАО03-18-2009 12:50 PM

Re: Wired 802.1x Authentication through HP Procurve 2650 to Cisco ACS 5.0

I was finally able to get a network capture from in front of the ACS and verified traffic from the switch is getting there without a problem. I also got a capture of a successful authentication attempt through a Cisco switch and saw differences in the authentication sequences.

Through the Cisco switch:
switch -> host: EAP Request Identity
host -> switch: EAP Response Identity
switch -> host: EAP Request, MD5-Challenge
host -> switch: EAP Legacy Nak (Repsonse only)
switch -> host: EAP Request, PEAP
host -> switch: EAP Response, PEAP

Next the host opens an encrypted connection to the switch.

Through HP switch:
switch -> host: EAP Request Identity
host -> switch: EAP Response Identity
host -> switch: EAPOL Start
host -> switch: EAPOL Start
switch -> host: EAP Request Identity
host -> switch: EAP Response Identity

At this point the switch shuts the interface down and the client assumes that the network connection is faulty and assigns itself a non routable APIPA address
0 Kudos
Pieter 't Hart
Honored Contributor

тАО04-15-2009 06:05 AM

тАО04-15-2009 06:05 AM

Re: Wired 802.1x Authentication through HP Procurve 2650 to Cisco ACS 5.0

>>>
I'm not quite sure what you are referring to as far as Radius dialects are concerned.
<<<

Rob, I attached a screenshot of the setting I mean.

network-config -> Network Device Groups -> -> AAA Clients -> -> "authenticate using..."
0 Kudos
Rob Mengert
Occasional Advisor

тАО04-22-2009 07:36 AM

тАО04-22-2009 07:36 AM

Re: Wired 802.1x Authentication through HP Procurve 2650 to Cisco ACS 5.0

This issue actually turned out to be a bug on the ACS. For those of you who have a CCO account.

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsy17858
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.