- Community Home
- >
- Networking
- >
- Legacy
- >
- Switches, Hubs, Modems
- >
- windows 2008 R2 NAP with IEEE802.1X and port ACL
Switches, Hubs, and Modems
1753396
Members
7419
Online
108792
Solutions
Forums
Categories
Company
Local Language
юдл
back
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
юдл
back
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Blogs
Information
Community
Resources
Community Language
Language
Forums
Blogs
Topic Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-27-2010 12:57 AM
тАО10-27-2010 12:57 AM
windows 2008 R2 NAP with IEEE802.1X and port ACL
Hi All,
I have setup a NAP with 802.1X POC setup with,
1. HP Procurve 2610 switch configured with default VLAN and two standard ACL, one named "compliant" and second "noncompliant"
2. windows 2008 R2 Domain controller
3. Windows 2008 R2 NAP server
4. windows 2003 Antivirus & WSUS server
5. windows xp sp3, vista and windows 7 clients
6. IEEE 802.1X authentication setting is configured in the swith
7. Configured the network compliant policy to assign "compliant" ACL to the port using the filter ID attribute.
8. Configured the network non compliant policy to assign "noncompliant" ACL to the port using the filter ID attribute.
Status
-The switch is not applying the ACL in the port
Request your help in
1. Identifying the RADIUS attribute to instrcut the procurve switch to apply a static ACL defined in it to a user port.
2. If it is not possible, help me how to configure a dynamic ACL through vendor specific options in windows 2008 NPS.
I have setup a NAP with 802.1X POC setup with,
1. HP Procurve 2610 switch configured with default VLAN and two standard ACL, one named "compliant" and second "noncompliant"
2. windows 2008 R2 Domain controller
3. Windows 2008 R2 NAP server
4. windows 2003 Antivirus & WSUS server
5. windows xp sp3, vista and windows 7 clients
6. IEEE 802.1X authentication setting is configured in the swith
7. Configured the network compliant policy to assign "compliant" ACL to the port using the filter ID attribute.
8. Configured the network non compliant policy to assign "noncompliant" ACL to the port using the filter ID attribute.
Status
-The switch is not applying the ACL in the port
Request your help in
1. Identifying the RADIUS attribute to instrcut the procurve switch to apply a static ACL defined in it to a user port.
2. If it is not possible, help me how to configure a dynamic ACL through vendor specific options in windows 2008 NPS.
2 REPLIES 2
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-28-2010 12:32 AM
тАО10-28-2010 12:32 AM
Re: windows 2008 R2 NAP with IEEE802.1X and port ACL
Hi Shaij pk,
the correct radius IDs are stated in the release notes of series 5300, OS V10.23, called "5300xl-RelNotes-e1023-59912127.pdf" on page 45. Google helps.
The ACL is not configured on the switch but on the Radius Server within an handcrafted Option (or ID), and will be transmitted to the device only during a successful authentication. Unsuccessfull authentications are targeted within a Routed ACL on the router behind the 2610.
For your domain and GroupPolicy Scripting you have the perfect environment: W2k8 R2.
Depending on your authentication method (PEAP or TLS) I recommend to read the Microsoft Gotchas on 802.1X in their Support Database. As there are servere functional differences about the 802.1X features with your mentioned client OSs, start for example at KB Articles 929847, 904943.
Further more you may focus within the Switch on the Wake-on-Lan topic if you additionally authenticate to different VLANs, and the Implicit LogOff Timer within 802.1X config.
Within your HP environment you may also use PCM+ Software Suite using additionally module IDM, where you can configure your ACLs once and deploy it everywhere much more easily. Please be aware that this software is not for free, additionally you need CarePacks, but you can test it for 60 days. It is compliant to W2k8 NAP. Obligatory hard- and software requirements are stated in the AdminGuide of PCM.
HTH
Jens
the correct radius IDs are stated in the release notes of series 5300, OS V10.23, called "5300xl-RelNotes-e1023-59912127.pdf" on page 45. Google helps.
The ACL is not configured on the switch but on the Radius Server within an handcrafted Option (or ID), and will be transmitted to the device only during a successful authentication. Unsuccessfull authentications are targeted within a Routed ACL on the router behind the 2610.
For your domain and GroupPolicy Scripting you have the perfect environment: W2k8 R2.
Depending on your authentication method (PEAP or TLS) I recommend to read the Microsoft Gotchas on 802.1X in their Support Database. As there are servere functional differences about the 802.1X features with your mentioned client OSs, start for example at KB Articles 929847, 904943.
Further more you may focus within the Switch on the Wake-on-Lan topic if you additionally authenticate to different VLANs, and the Implicit LogOff Timer within 802.1X config.
Within your HP environment you may also use PCM+ Software Suite using additionally module IDM, where you can configure your ACLs once and deploy it everywhere much more easily. Please be aware that this software is not for free, additionally you need CarePacks, but you can test it for 60 days. It is compliant to W2k8 NAP. Obligatory hard- and software requirements are stated in the AdminGuide of PCM.
HTH
Jens
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-28-2010 02:10 AM
тАО10-28-2010 02:10 AM
Re: windows 2008 R2 NAP with IEEE802.1X and port ACL
The attached screenshoot may help for dynamic ACL. It is not possible to assign an dynamic ACL ID which point to a static configured ACL on the switch.
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.
News and Events
Support
© Copyright 2024 Hewlett Packard Enterprise Development LP