Switches, Hubs, and Modems
cancel
Showing results for 
Search instead for 
Did you mean: 

windows 2008 R2 NAP with IEEE802.1X and port ACL

shaji_pk
Occasional Contributor

windows 2008 R2 NAP with IEEE802.1X and port ACL

Hi All,

I have setup a NAP with 802.1X POC setup with,
1. HP Procurve 2610 switch configured with default VLAN and two standard ACL, one named "compliant" and second "noncompliant"
2. windows 2008 R2 Domain controller
3. Windows 2008 R2 NAP server
4. windows 2003 Antivirus & WSUS server
5. windows xp sp3, vista and windows 7 clients
6. IEEE 802.1X authentication setting is configured in the swith
7. Configured the network compliant policy to assign "compliant" ACL to the port using the filter ID attribute.
8. Configured the network non compliant policy to assign "noncompliant" ACL to the port using the filter ID attribute.

Status
-The switch is not applying the ACL in the port

Request your help in
1. Identifying the RADIUS attribute to instrcut the procurve switch to apply a static ACL defined in it to a user port.
2. If it is not possible, help me how to configure a dynamic ACL through vendor specific options in windows 2008 NPS.

2 REPLIES
Jens Egger
Occasional Advisor

Re: windows 2008 R2 NAP with IEEE802.1X and port ACL

Hi Shaij pk,

the correct radius IDs are stated in the release notes of series 5300, OS V10.23, called "5300xl-RelNotes-e1023-59912127.pdf" on page 45. Google helps.

The ACL is not configured on the switch but on the Radius Server within an handcrafted Option (or ID), and will be transmitted to the device only during a successful authentication. Unsuccessfull authentications are targeted within a Routed ACL on the router behind the 2610.

For your domain and GroupPolicy Scripting you have the perfect environment: W2k8 R2.
Depending on your authentication method (PEAP or TLS) I recommend to read the Microsoft Gotchas on 802.1X in their Support Database. As there are servere functional differences about the 802.1X features with your mentioned client OSs, start for example at KB Articles 929847, 904943.

Further more you may focus within the Switch on the Wake-on-Lan topic if you additionally authenticate to different VLANs, and the Implicit LogOff Timer within 802.1X config.

Within your HP environment you may also use PCM+ Software Suite using additionally module IDM, where you can configure your ACLs once and deploy it everywhere much more easily. Please be aware that this software is not for free, additionally you need CarePacks, but you can test it for 60 days. It is compliant to W2k8 NAP. Obligatory hard- and software requirements are stated in the AdminGuide of PCM.

HTH


Jens
Holger Hasenaug
Trusted Contributor

Re: windows 2008 R2 NAP with IEEE802.1X and port ACL

The attached screenshoot may help for dynamic ACL. It is not possible to assign an dynamic ACL ID which point to a static configured ACL on the switch.