Web and Unmanaged
cancel
Showing results for 
Search instead for 
Did you mean: 

802.1X on HPE 1950

ColonelSarge
Occasional Visitor

802.1X on HPE 1950

I'm trying to set up 802.1X on HPE 1950 (JG961A), but it's not working. I tried to set up 802.1X on the HPE 1950 according to pages 122-124 of the user guide (http://h20565.www2.hpe.com/hpsc/doc/public/display?sp4ts.oid=7399488&docLocale=en_US&docId=emr_na-c04657809).

I set up a radius profile with accounting for our existing radius server (Windows Server 2012). I created an ISP domain for LAN access called lan and configured it to use the radius profile for authentication, authorization, and accounting. I enabled 802.1X and configured it for MAC-based control on one interface (GE1/0/2) for testing. The lan ISP domain is set as the mandatory domain for the port.

When I set 802.1X on GE1/0/2 to Automatic, I cannot get LAN access. The policy on the radius server allows Windows credentials and/or machine-based certificate for testing, but I don't get prompted for any form of authentication. The computer that I am using for testing has the appropriate certificate installed. The HPE 1950 is configured as a client with the correct IP address on the radius server.

The radius logs on the radius server do not show any events regarding the HPE 1950 switch or 802.1X authentication. I suspect that the authentication request is not being forwarded to the radius server properly and that the request eventually times out.

Does anyone know what is wrong?

A sanitized version of the switch config is below.

# 
version 7.1.045, Release 3113P05 
# 
sysname REDACTED
# 
clock timezone Saskatchewan minus 06:00:00 
clock protocol ntp 
# 
irf mac-address persistent timer 
irf auto-update enable 
undo irf link-delay 
irf member 1 priority 1 
# 
dot1x 
dot1x authentication-method eap 
dot1x domain-delimiter @\\ 
# 
dns server REDACTED
dns server REDACTED
dns server REDACTED
# 
transceiver phony-alarm-disable 
password-recovery enable 
# 
vlan 1 
# 
vlan 3 
description REDACTED
# 
vlan 6 
description REDACTED
# 
traffic classifier WebVlan_6_0_0 operator or 
# 
traffic classifier WebVlan_6_1_0 operator or 
# 
traffic behavior WebVlan_6_0_0 
remark dot1p 6 
# 
traffic behavior WebVlan_6_1_0 
remark dot1p 6 
# 
qos policy WebVlan_6_0 
classifier WebVlan_6_0_0 behavior WebVlan_6_0_0 
# 
qos policy WebVlan_6_1 
classifier WebVlan_6_1_0 behavior WebVlan_6_1_0 
# 
interface Bridge-Aggregation1 
port link-type trunk 
undo port trunk permit vlan 1 
port trunk permit vlan 3 6 
port trunk pvid vlan 3 
link-aggregation mode dynamic 
# 
interface NULL0 
# 
interface Vlan-interface1 
# 
interface Vlan-interface3 
ip address REDACTED
# 
interface Vlan-interface6 
ip address REDACTED
# 
interface GigabitEthernet1/0/1 
port access vlan 3 
# 
interface GigabitEthernet1/0/2 
port access vlan 3 
dot1x 
dot1x mandatory-domain lan 
dot1x unicast-trigger 
dot1x smarton 
# 
interface GigabitEthernet1/0/3 
port access vlan 3 
# 
interface GigabitEthernet1/0/4 
port access vlan 3 
# 
interface GigabitEthernet1/0/5 
port access vlan 3 
# 
interface GigabitEthernet1/0/6 
port access vlan 3 
# 
interface GigabitEthernet1/0/7 
port access vlan 3 
# 
interface GigabitEthernet1/0/8 
port access vlan 3 
# 
interface GigabitEthernet1/0/9 
port access vlan 3 
# 
interface GigabitEthernet1/0/10 
port access vlan 3 
# 
interface GigabitEthernet1/0/11 
port access vlan 3 
# 
interface GigabitEthernet1/0/12 
port access vlan 3 
# 
interface GigabitEthernet1/0/13 
port access vlan 3 
# 
interface GigabitEthernet1/0/14 
port access vlan 3 
# 
interface GigabitEthernet1/0/15 
port access vlan 3 
# 
interface GigabitEthernet1/0/16 
port access vlan 3 
# 
interface GigabitEthernet1/0/17 
port access vlan 3 
# 
interface GigabitEthernet1/0/18 
port access vlan 3 
# 
interface GigabitEthernet1/0/19 
port access vlan 3 
# 
interface GigabitEthernet1/0/20 
port access vlan 3 
# 
interface GigabitEthernet1/0/21 
port access vlan 3 
# 
interface GigabitEthernet1/0/22 
port access vlan 3 
# 
interface GigabitEthernet1/0/23 
port access vlan 3 
# 
interface GigabitEthernet1/0/24 
port access vlan 3 
# 
interface GigabitEthernet1/0/25 
port access vlan 3 
# 
interface GigabitEthernet1/0/26 
port access vlan 3 
# 
interface GigabitEthernet1/0/27 
port access vlan 3 
# 
interface GigabitEthernet1/0/28 
port access vlan 3 
# 
interface GigabitEthernet1/0/29 
port access vlan 3 
# 
interface GigabitEthernet1/0/30 
port access vlan 3 
# 
interface GigabitEthernet1/0/31 
port access vlan 3 
# 
interface GigabitEthernet1/0/32 
port access vlan 3 
# 
interface GigabitEthernet1/0/33 
port access vlan 3 
# 
interface GigabitEthernet1/0/34 
port access vlan 3 
# 
interface GigabitEthernet1/0/35 
port access vlan 3 
# 
interface GigabitEthernet1/0/36 
port access vlan 3 
# 
interface GigabitEthernet1/0/37 
port access vlan 3 
# 
interface GigabitEthernet1/0/38 
port access vlan 3 
# 
interface GigabitEthernet1/0/39 
port access vlan 3 
# 
interface GigabitEthernet1/0/40 
port access vlan 3 
# 
interface GigabitEthernet1/0/41 
port access vlan 3 
# 
interface GigabitEthernet1/0/42 
port access vlan 3 
# 
interface GigabitEthernet1/0/43 
port access vlan 3 
# 
interface GigabitEthernet1/0/44 
port access vlan 3 
# 
interface GigabitEthernet1/0/45 
port access vlan 3 
# 
interface GigabitEthernet1/0/46 
port access vlan 3 
# 
interface GigabitEthernet1/0/47 
port link-type trunk 
undo port trunk permit vlan 1 
port trunk permit vlan 3 6 
port trunk pvid vlan 3 
port link-aggregation group 1 
# 
interface GigabitEthernet1/0/48 
port link-type trunk 
undo port trunk permit vlan 1 
port trunk permit vlan 3 6 
port trunk pvid vlan 3 
port link-aggregation group 1 
# 
interface Ten-GigabitEthernet1/0/49 
port access vlan 3 
# 
interface Ten-GigabitEthernet1/0/50 
port access vlan 3 
# 
interface Ten-GigabitEthernet1/0/51 
port access vlan 3 
# 
interface Ten-GigabitEthernet1/0/52 
port access vlan 3 
# 
scheduler logfile size 16 
# 
line class aux 
authentication-mode scheme 
user-role network-admin 
# 
line class vty 
authentication-mode scheme 
user-role network-operator 
# 
line aux 0 
user-role network-admin 
# 
line vty 0 63 
user-role network-operator 
# 
ip route-static 0.0.0.0 0 REDACTED
# 
info-center loghost REDACTED
# 
snmp-agent 
snmp-agent local-engineid REDACTED
snmp-agent community read REDACTED
snmp-agent community write REDACTED
snmp-agent sys-info location REDACTED
snmp-agent sys-info version REDACTED
# 
qos vlan-policy WebVlan_6_0 vlan 6 inbound 
# 
ntp-service enable 
ntp-service unicast-peer REDACTED
ntp-service unicast-peer REDACTED
ntp-service unicast-peer REDACTED
ntp-service unicast-peer REDACTED
# 
radius scheme radius 
primary authentication RADIUS IP key cipher REDACTED
primary accounting RADIUS IP key cipher REDACTED
key authentication cipher REDACTED
key accounting cipher REDACTED
user-name-format keep-original 
nas-ip SWITCH IP
# 
domain lan 
authentication lan-access radius-scheme radius 
authorization lan-access radius-scheme radius 
accounting lan-access radius-scheme radius 
# 
domain system 
# 
domain default enable system 
# 
role name level-0 
description Predefined level-0 role 
# 
role name level-1 
description Predefined level-1 role 
# 
role name level-2 
description Predefined level-2 role 
# 
role name level-3 
description Predefined level-3 role 
# 
role name level-4 
description Predefined level-4 role 
# 
role name level-5 
description Predefined level-5 role 
# 
role name level-6 
description Predefined level-6 role 
# 
role name level-7 
description Predefined level-7 role 
# 
role name level-8 
description Predefined level-8 role 
# 
role name level-9 
description Predefined level-9 role 
# 
role name level-10 
description Predefined level-10 role 
# 
role name level-11 
description Predefined level-11 role 
# 
role name level-12 
description Predefined level-12 role 
# 
role name level-13 
description Predefined level-13 role 
# 
role name level-14 
description Predefined level-14 role 
# 
user-group system 
# 
local-user REDACTED class manage 
password hash REDACTED
service-type REDACTED
authorization-attribute user-role network-admin 
authorization-attribute user-role network-operator 
# 
ip https enable 
# 
return 
#
2 REPLIES
parnassus
Honored Contributor

Re: 802.1X on HPE 1950

What's about first update to R3116 from R3113P05?

ColonelSarge
Occasional Visitor

Re: 802.1X on HPE 1950

I upgraded the firmware to 3116, but I still get the same behavior.  802.1X does not authenticate and does not prompt for authentication.  The logs on the RADIUS server do not show any entries for 802.1X authentication or for the HPE 1950.

 

HPE Comware Software, Version 7.1.045, Release 3116
Copyright (c) 2010-2017 Hewlett Packard Enterprise Development LP
HPE 1950 48G 2SFP+ 2XGT Switch uptime is 0 weeks, 0 days, 0 hours, 45 minutes
Last reboot reason : USER reboot

Boot image: flash:/1950-cmw710-boot-r3116.bin
Boot image version: 7.1.045, Release 3116
Compiled Apr 06 2017 16:00:00
System image: flash:/1950-cmw710-system-r3116.bin
System image version: 7.1.045, Release 3116
Compiled Apr 06 2017 16:00:00


Slot 1:
Uptime is 0 weeks,0 days,0 hours,45 minutes
HPE 1950 48G 2SFP+ 2XGT JG961A with 1 Processor
BOARD TYPE: 1950-48G-2SFP+-2XGT
DRAM: 1024M bytes
FLASH: 512M bytes
PCB 1 Version: VER.D
Bootrom Version: 147
CPLD 1 Version: 001
Release Version: HPE 1950 48G 2SFP+ 2XGT JG961A-3116
Patch Version : None
Reboot Cause : UserReboot
[SubSlot 0] 48GE+2SFP-Plus+2XGT