HPE Community
Switches, Hubs, and Modems
1753396 Members
7419 Online
108792 Solutions
New Discussion юеВ

windows 2008 R2 NAP with IEEE802.1X and port ACL

 
shaji_pk
Occasional Contributor

тАО10-27-2010 12:57 AM

тАО10-27-2010 12:57 AM

windows 2008 R2 NAP with IEEE802.1X and port ACL

Hi All,

I have setup a NAP with 802.1X POC setup with,
1. HP Procurve 2610 switch configured with default VLAN and two standard ACL, one named "compliant" and second "noncompliant"
2. windows 2008 R2 Domain controller
3. Windows 2008 R2 NAP server
4. windows 2003 Antivirus & WSUS server
5. windows xp sp3, vista and windows 7 clients
6. IEEE 802.1X authentication setting is configured in the swith
7. Configured the network compliant policy to assign "compliant" ACL to the port using the filter ID attribute.
8. Configured the network non compliant policy to assign "noncompliant" ACL to the port using the filter ID attribute.

Status
-The switch is not applying the ACL in the port

Request your help in
1. Identifying the RADIUS attribute to instrcut the procurve switch to apply a static ACL defined in it to a user port.
2. If it is not possible, help me how to configure a dynamic ACL through vendor specific options in windows 2008 NPS.

0 Kudos
2 REPLIES 2
Jens Egger
Occasional Advisor

тАО10-28-2010 12:32 AM

тАО10-28-2010 12:32 AM

Re: windows 2008 R2 NAP with IEEE802.1X and port ACL

Hi Shaij pk,

the correct radius IDs are stated in the release notes of series 5300, OS V10.23, called "5300xl-RelNotes-e1023-59912127.pdf" on page 45. Google helps.

The ACL is not configured on the switch but on the Radius Server within an handcrafted Option (or ID), and will be transmitted to the device only during a successful authentication. Unsuccessfull authentications are targeted within a Routed ACL on the router behind the 2610.

For your domain and GroupPolicy Scripting you have the perfect environment: W2k8 R2.
Depending on your authentication method (PEAP or TLS) I recommend to read the Microsoft Gotchas on 802.1X in their Support Database. As there are servere functional differences about the 802.1X features with your mentioned client OSs, start for example at KB Articles 929847, 904943.

Further more you may focus within the Switch on the Wake-on-Lan topic if you additionally authenticate to different VLANs, and the Implicit LogOff Timer within 802.1X config.

Within your HP environment you may also use PCM+ Software Suite using additionally module IDM, where you can configure your ACLs once and deploy it everywhere much more easily. Please be aware that this software is not for free, additionally you need CarePacks, but you can test it for 60 days. It is compliant to W2k8 NAP. Obligatory hard- and software requirements are stated in the AdminGuide of PCM.

HTH


Jens
0 Kudos
Holger Hasenaug
Trusted Contributor

тАО10-28-2010 02:10 AM

тАО10-28-2010 02:10 AM

Re: windows 2008 R2 NAP with IEEE802.1X and port ACL

The attached screenshoot may help for dynamic ACL. It is not possible to assign an dynamic ACL ID which point to a static configured ACL on the switch.
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.