HPE Community
Switches, Hubs, and Modems
1753901 Members
8947 Online
108810 Solutions
New Discussion юеВ

Re: web auth and 802.1x on same port?

 
cinscsu
Occasional Advisor

тАО06-06-2008 06:55 AM

тАО06-06-2008 06:55 AM

web auth and 802.1x on same port?

Can you have web-auth and 802.1x enabled on the same port? I have configured a port for both web-based and authenticator, but it seems to prefer web-based even if the client has a supplicant. I thought the behavior was to use web-based only if the client did not have a supplicant?
0 Kudos
9 REPLIES 9
Mohieddin Kharnoub
Honored Contributor

тАО06-06-2008 11:02 PM

тАО06-06-2008 11:02 PM

Re: web auth and 802.1x on same port?

Hi

The switch can be configured to accept concurrent authenitication methods 802.1x and (WEB or MAC), however this should be implemented in the correct way.

On page 13-12 and 13-13 for concurrent authentication methods:

http://cdn.procurve.com/training/Manuals/3500-5400-6200-8200-ASG-Jan08-13-8021X.pdf

Attach your configuration here so we can check it.

Good Luck !!!


Science for Everyone
0 Kudos
Matt Hobbs
Honored Contributor

тАО06-08-2008 12:14 AM

тАО06-08-2008 12:14 AM

Re: web auth and 802.1x on same port?

Which switch are you talking about? Depending on the platform there is different behaviour with the concurrent authentication methods.
0 Kudos
cinscsu
Occasional Advisor

тАО06-09-2008 03:12 AM

тАО06-09-2008 03:12 AM

Re: web auth and 802.1x on same port?

I'm using the 5308 at the moment. Will test the 5400 next. I'll read through the concurrent config in the docs again.
0 Kudos
Matt Hobbs
Honored Contributor

тАО06-09-2008 03:21 AM

тАО06-09-2008 03:21 AM

Re: web auth and 802.1x on same port?

The 5400 will give you OR type of behaviour, either 802.1x OR web-auth will be fine. Whereas the 5300 (I'd need to check) I have a feeling my be AND behaviour.
0 Kudos
cinscsu
Occasional Advisor

тАО06-09-2008 03:30 AM

тАО06-09-2008 03:30 AM

Re: web auth and 802.1x on same port?

That's strange. I wonder under what circumstances the AND scenario would be useful? The behavior I'm seeing is that regardless of whether the client has a supplicant, the webauth always takes precedence. I didn't see much more about concurrent setup in the 5300 docs, other than it's possible. Y'all know if there is some way to set a precedence within the switch's configuration?
0 Kudos
Jeff Carrell
Honored Contributor

тАО06-09-2008 03:55 AM

тАО06-09-2008 03:55 AM

Re: web auth and 802.1x on same port?

basically, even though you can config 802.1x & mac-auth concurrently, at this time, mac-auth will take precedence no matter what...this is stated in the docs as such...

however, on a 3500 with 12.57 and 13.09 code, i have had 802.1x and web-auth working ok with each other...although you do get the 192.168.x.x ip addr on the client even though the client may be using its supplicant for 802.1x auth, it does seem to work ok...

i can only hope that someday the code will support a choice of precedence...current operation is not as "useful" as it should be...

my experiences...

cheers...jeff
0 Kudos
cinscsu
Occasional Advisor

тАО06-09-2008 04:40 AM

тАО06-09-2008 04:40 AM

Re: web auth and 802.1x on same port?

Yeah, this morning I was watching my freeradius log, and it looks like the supplicant authenticated successfully (using Window's builtin peap/mschapv2), but I still have a 192.x.x.x address issued by the switch for webauth, and am still redirected to the webauth login page. "show port-access authenticator" shows that the port is open. Couldn't find in the docs where it said mac- or web-based takes precedence over 802.1x. Did find where it mentions order of precedence for port access management (highest to lowest) is mac lockout, then mac lockdown/port security, then 802.1x or web/mac auth. When you say the 802.1x + webauth is working...are you able to access network resources after a successful 802.1x auth, or are you redirected to the web login as I am?
0 Kudos
Jeff Carrell
Honored Contributor

тАО06-11-2008 05:16 AM

тАО06-11-2008 05:16 AM

Re: web auth and 802.1x on same port?

its been awile since i played with 802.1x and web-auth...

however, here's what's in the 3500-5400 ASG manual:

Port-Based 802.1X can operate concurrently with Web-Authentication or
MAC-Authentication on the same port. However, this is not a commonly used
application and is not generally recommended.

Applying Web Authentication or MAC Authentication Concurrently
with Port-Based 802.1X Authentication: While 802.1X port-based access
control can operate concurrently with Web Authentication or MAC Authentication,
port-based access control is subordinate to Web-Auth and MAC-Auth
operation. If 802.1X operates in port-based mode and MAC or Web authentication
is enabled on the same port, any 802.1X authentication has no effect on
the ability of a client to access the controlled port. That is, the client├в s access
will be denied until the client authenticates through Web-Auth or MAC-Auth
on the port. Note also that a client authenticating with port-based 802.1X does
not open the port in the same way that it would if Web-Auth or MAC-Auth were
not enabled. That is, any non-authenticating client attempting to access the
port after another client authenticates with port-based 802.1X would still have
to authenticate through Web-Auth or MAC-Auth.

----------------------------
so altho you can do it, it doesn't really work, and they tell not to do it...

not the best answer, but that's the way it is...

so, i don't mix the 802.1x auth type on ports anymore...

cheers...jeff
0 Kudos
cinscsu
Occasional Advisor

тАО06-11-2008 05:28 AM

тАО06-11-2008 05:28 AM

Re: web auth and 802.1x on same port?

Yep, that's about what I've experienced. I had not looked at the docs for the 5400-series yet, as I was still playing with the 5300. Looks like the 5400 docs more clearly define the conditions. At least now I know what can/can't be done and can design accordingly. Thanks again for all the input :)
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.