- Community Home
- >
- Networking
- >
- Switching and Routing
- >
- Web and Unmanaged
- >
- 802.1X on HPE 1950
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-11-2017 11:13 AM
тАО09-11-2017 11:13 AM
802.1X on HPE 1950
I'm trying to set up 802.1X on HPE 1950 (JG961A), but it's not working. I tried to set up 802.1X on the HPE 1950 according to pages 122-124 of the user guide (http://h20565.www2.hpe.com/hpsc/doc/public/display?sp4ts.oid=7399488&docLocale=en_US&docId=emr_na-c04657809).
I set up a radius profile with accounting for our existing radius server (Windows Server 2012). I created an ISP domain for LAN access called lan and configured it to use the radius profile for authentication, authorization, and accounting. I enabled 802.1X and configured it for MAC-based control on one interface (GE1/0/2) for testing. The lan ISP domain is set as the mandatory domain for the port.
When I set 802.1X on GE1/0/2 to Automatic, I cannot get LAN access. The policy on the radius server allows Windows credentials and/or machine-based certificate for testing, but I don't get prompted for any form of authentication. The computer that I am using for testing has the appropriate certificate installed. The HPE 1950 is configured as a client with the correct IP address on the radius server.
The radius logs on the radius server do not show any events regarding the HPE 1950 switch or 802.1X authentication. I suspect that the authentication request is not being forwarded to the radius server properly and that the request eventually times out.
Does anyone know what is wrong?
A sanitized version of the switch config is below.
# version 7.1.045, Release 3113P05 # sysname REDACTED # clock timezone Saskatchewan minus 06:00:00 clock protocol ntp # irf mac-address persistent timer irf auto-update enable undo irf link-delay irf member 1 priority 1 # dot1x dot1x authentication-method eap dot1x domain-delimiter @\\ # dns server REDACTED dns server REDACTED dns server REDACTED # transceiver phony-alarm-disable password-recovery enable # vlan 1 # vlan 3 description REDACTED # vlan 6 description REDACTED # traffic classifier WebVlan_6_0_0 operator or # traffic classifier WebVlan_6_1_0 operator or # traffic behavior WebVlan_6_0_0 remark dot1p 6 # traffic behavior WebVlan_6_1_0 remark dot1p 6 # qos policy WebVlan_6_0 classifier WebVlan_6_0_0 behavior WebVlan_6_0_0 # qos policy WebVlan_6_1 classifier WebVlan_6_1_0 behavior WebVlan_6_1_0 # interface Bridge-Aggregation1 port link-type trunk undo port trunk permit vlan 1 port trunk permit vlan 3 6 port trunk pvid vlan 3 link-aggregation mode dynamic # interface NULL0 # interface Vlan-interface1 # interface Vlan-interface3 ip address REDACTED # interface Vlan-interface6 ip address REDACTED # interface GigabitEthernet1/0/1 port access vlan 3 # interface GigabitEthernet1/0/2 port access vlan 3 dot1x dot1x mandatory-domain lan dot1x unicast-trigger dot1x smarton # interface GigabitEthernet1/0/3 port access vlan 3 # interface GigabitEthernet1/0/4 port access vlan 3 # interface GigabitEthernet1/0/5 port access vlan 3 # interface GigabitEthernet1/0/6 port access vlan 3 # interface GigabitEthernet1/0/7 port access vlan 3 # interface GigabitEthernet1/0/8 port access vlan 3 # interface GigabitEthernet1/0/9 port access vlan 3 # interface GigabitEthernet1/0/10 port access vlan 3 # interface GigabitEthernet1/0/11 port access vlan 3 # interface GigabitEthernet1/0/12 port access vlan 3 # interface GigabitEthernet1/0/13 port access vlan 3 # interface GigabitEthernet1/0/14 port access vlan 3 # interface GigabitEthernet1/0/15 port access vlan 3 # interface GigabitEthernet1/0/16 port access vlan 3 # interface GigabitEthernet1/0/17 port access vlan 3 # interface GigabitEthernet1/0/18 port access vlan 3 # interface GigabitEthernet1/0/19 port access vlan 3 # interface GigabitEthernet1/0/20 port access vlan 3 # interface GigabitEthernet1/0/21 port access vlan 3 # interface GigabitEthernet1/0/22 port access vlan 3 # interface GigabitEthernet1/0/23 port access vlan 3 # interface GigabitEthernet1/0/24 port access vlan 3 # interface GigabitEthernet1/0/25 port access vlan 3 # interface GigabitEthernet1/0/26 port access vlan 3 # interface GigabitEthernet1/0/27 port access vlan 3 # interface GigabitEthernet1/0/28 port access vlan 3 # interface GigabitEthernet1/0/29 port access vlan 3 # interface GigabitEthernet1/0/30 port access vlan 3 # interface GigabitEthernet1/0/31 port access vlan 3 # interface GigabitEthernet1/0/32 port access vlan 3 # interface GigabitEthernet1/0/33 port access vlan 3 # interface GigabitEthernet1/0/34 port access vlan 3 # interface GigabitEthernet1/0/35 port access vlan 3 # interface GigabitEthernet1/0/36 port access vlan 3 # interface GigabitEthernet1/0/37 port access vlan 3 # interface GigabitEthernet1/0/38 port access vlan 3 # interface GigabitEthernet1/0/39 port access vlan 3 # interface GigabitEthernet1/0/40 port access vlan 3 # interface GigabitEthernet1/0/41 port access vlan 3 # interface GigabitEthernet1/0/42 port access vlan 3 # interface GigabitEthernet1/0/43 port access vlan 3 # interface GigabitEthernet1/0/44 port access vlan 3 # interface GigabitEthernet1/0/45 port access vlan 3 # interface GigabitEthernet1/0/46 port access vlan 3 # interface GigabitEthernet1/0/47 port link-type trunk undo port trunk permit vlan 1 port trunk permit vlan 3 6 port trunk pvid vlan 3 port link-aggregation group 1 # interface GigabitEthernet1/0/48 port link-type trunk undo port trunk permit vlan 1 port trunk permit vlan 3 6 port trunk pvid vlan 3 port link-aggregation group 1 # interface Ten-GigabitEthernet1/0/49 port access vlan 3 # interface Ten-GigabitEthernet1/0/50 port access vlan 3 # interface Ten-GigabitEthernet1/0/51 port access vlan 3 # interface Ten-GigabitEthernet1/0/52 port access vlan 3 # scheduler logfile size 16 # line class aux authentication-mode scheme user-role network-admin # line class vty authentication-mode scheme user-role network-operator # line aux 0 user-role network-admin # line vty 0 63 user-role network-operator # ip route-static 0.0.0.0 0 REDACTED # info-center loghost REDACTED # snmp-agent snmp-agent local-engineid REDACTED snmp-agent community read REDACTED snmp-agent community write REDACTED snmp-agent sys-info location REDACTED snmp-agent sys-info version REDACTED # qos vlan-policy WebVlan_6_0 vlan 6 inbound # ntp-service enable ntp-service unicast-peer REDACTED ntp-service unicast-peer REDACTED ntp-service unicast-peer REDACTED ntp-service unicast-peer REDACTED # radius scheme radius primary authentication RADIUS IP key cipher REDACTED primary accounting RADIUS IP key cipher REDACTED key authentication cipher REDACTED key accounting cipher REDACTED user-name-format keep-original nas-ip SWITCH IP # domain lan authentication lan-access radius-scheme radius authorization lan-access radius-scheme radius accounting lan-access radius-scheme radius # domain system # domain default enable system # role name level-0 description Predefined level-0 role # role name level-1 description Predefined level-1 role # role name level-2 description Predefined level-2 role # role name level-3 description Predefined level-3 role # role name level-4 description Predefined level-4 role # role name level-5 description Predefined level-5 role # role name level-6 description Predefined level-6 role # role name level-7 description Predefined level-7 role # role name level-8 description Predefined level-8 role # role name level-9 description Predefined level-9 role # role name level-10 description Predefined level-10 role # role name level-11 description Predefined level-11 role # role name level-12 description Predefined level-12 role # role name level-13 description Predefined level-13 role # role name level-14 description Predefined level-14 role # user-group system # local-user REDACTED class manage password hash REDACTED service-type REDACTED authorization-attribute user-role network-admin authorization-attribute user-role network-operator # ip https enable # return #
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-11-2017 01:38 PM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-19-2017 07:33 AM
тАО09-19-2017 07:33 AM
Re: 802.1X on HPE 1950
I upgraded the firmware to 3116, but I still get the same behavior. 802.1X does not authenticate and does not prompt for authentication. The logs on the RADIUS server do not show any entries for 802.1X authentication or for the HPE 1950.
HPE Comware Software, Version 7.1.045, Release 3116 Copyright (c) 2010-2017 Hewlett Packard Enterprise Development LP HPE 1950 48G 2SFP+ 2XGT Switch uptime is 0 weeks, 0 days, 0 hours, 45 minutes Last reboot reason : USER reboot Boot image: flash:/1950-cmw710-boot-r3116.bin Boot image version: 7.1.045, Release 3116 Compiled Apr 06 2017 16:00:00 System image: flash:/1950-cmw710-system-r3116.bin System image version: 7.1.045, Release 3116 Compiled Apr 06 2017 16:00:00 Slot 1: Uptime is 0 weeks,0 days,0 hours,45 minutes HPE 1950 48G 2SFP+ 2XGT JG961A with 1 Processor BOARD TYPE: 1950-48G-2SFP+-2XGT DRAM: 1024M bytes FLASH: 512M bytes PCB 1 Version: VER.D Bootrom Version: 147 CPLD 1 Version: 001 Release Version: HPE 1950 48G 2SFP+ 2XGT JG961A-3116 Patch Version : None Reboot Cause : UserReboot [SubSlot 0] 48GE+2SFP-Plus+2XGT
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-27-2018 09:32 AM
тАО08-27-2018 09:32 AM
Re: 802.1X on HPE 1950
I have the same issue with the same switch on the same firmware. Did you get anywhere with this issue?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-22-2019 02:17 AM - edited тАО11-22-2019 02:18 AM
тАО11-22-2019 02:17 AM - edited тАО11-22-2019 02:18 AM
Re: 802.1X on HPE 1950
Hi we have same problem also with latest firmware, port based 802.1x authentication failing, switch does not send any packet to radius server, has someone solution for this?
But web gui radius authentication is working fine.