HPE Community read-only access December 15, 2018
This is a maintenance upgrade. You will be able to read articles and posts, but not post or reply.
Hours:
Dec 15, 4:00 am to 10:00 am UTC
Dec 14, 10:00 pm CST to Dec 15, 4:00 am CST
Dec 14, 8:00 pm PST to Dec 15, 2:00 am PST
Web and Unmanaged
cancel
Showing results for 
Search instead for 
Did you mean: 

HP 1910 Lan Auth with Radius

 
sgardi
Occasional Visitor

HP 1910 Lan Auth with Radius

Hello,

 

I’m having a hard time getting Lan authentication working. I currently have a radius server setup where I use it to authenticate VPN, wifi and port security. I cant seem to get it working with my HPE 1910’s.

I can see from my NPS logs that its communicating but it failing.

 

8021X

Information

DOT1X_AUTH_FAILURE

-IfName=GigabitEthernet1/0/13-UserName=host/SAdjei-HP.ONSITERIS.com; DOT1X authentication failed.

 

I really want to avoid using mac address if possible.

 

radius scheme system

server-type extended

primary authentication 10.10.100.209

key authentication cipher xxxxxxxxxx

security-policy-server 10.10.100.209

user-name-format without-domain

radius scheme mydomainname

server-type extended

primary authentication 10.10.100.209

primary accounting 10.10.100.209

secondary authentication 10.10.100.244

secondary accounting 10.10.100.244

key authentication cipher xxxxxxxxxxxxxxx

key accounting cipher xxxxxxxxxxxxxxxxx

user-name-format keep-original

nas-ip 10.10.100.11

accounting-on enable

interface GigabitEthernet1/0/13

stp edged-port enable

dot1x max-user 2

dot1x guest-vlan 10

dot1x mandatory-domain onsiteris

dot1x port-method portbased

dot1x

2 REPLIES
sgardi
Occasional Visitor

Re: HP 1910 Lan Auth with Radius

I only have one port setup to use dot1x for testing

 

GigabitEthernet1/0/13  is link-down
   802.1X protocol is enabled
   Handshake is enabled
   Handshake secure is disabled
   802.1X unicast-trigger is disabled
   Periodic reauthentication is disabled
   The port is an authenticator
   Authentication Mode is Force-Authorized
   Port Control Type is Port-based
   802.1X Multicast-trigger is enabled
   Mandatory authentication domain: onsiteris
   Guest VLAN: 10
   Auth-Fail VLAN: NOT configured
   Critical VLAN: NOT configured
   Critical recovery-action: NOT configured
   Max number of on-line users is 2

   EAPOL Packet: Tx 2663, Rx 836
   Sent EAP Request/Identity Packets : 2312
        EAP Request/Challenge Packets: 94
        EAP Success Packets: 28, Fail Packets: 89
   Received EAPOL Start Packets : 400
            EAPOL LogOff Packets: 0
            EAP Response/Identity Packets : 202
            EAP Response/Challenge Packets: 140
            Error Packets: 0

Ian Vaughan
Honored Contributor

Re: HP 1910 Lan Auth with Radius

If I remember correctly:

"undo dot1x handshake" is recommended whrn you are using Windows NPS as your RADIUS server of choice.

I also have "undo dot1x multicast-trigger" but the sample (working) port config I have is from a 5130ei rather than a 1910.

Have you managed to enable full CLI access to the 1910 or are you able to drive this through the web GUI?

Hope that helps - please click "Thumbs up" for Kudos if it does
## ---------------------------------------------------------------------------##
Which is the only cheese that is made backwards?
Edam!
Tweets: @2techie4me