Web and Unmanaged
cancel
Showing results for 
Search instead for 
Did you mean: 

HP 1920S 48G 4SFP ( JL382A) and 802.1X

 
0815random
Occasional Collector

HP 1920S 48G 4SFP ( JL382A) and 802.1X

Hello,

I'm using the switch belong and I'm running PD.02.06 firmware, which is the newest. Here is my switch config:

!Current Configuration:
!
!System Description "HPE OfficeConnect Switch 1920S 48G 4SFP JL382A, PD.02.06, Linux 3.6.5-a07f8920, U-Boot 2012.10-00118-g3773021 (Oct 11 2016 - 15:39:54)"
!System Software Version "PD.02.06"
!System Up Time          "0 days 2 hrs 55 mins 11 secs"
!Additional Packages     HPE QOS,HPE IPv6 Management,HPE Routing
!Current SNTP Synchronized Time: Oct 17 13:20:38 2018 UTC
!
network protocol none
network parms 172.24.1.11 255.255.255.0 172.24.1.254
vlan database
vlan 2-5,42-43,126
vlan name 2 "VoIP"
vlan name 3 "Lab"
exit
ip http secure-server
ip http secure-protocol TLS1
ip ssh server enable
ip ssh protocol 2
configure
sntp client mode unicast
sntp server "192.168.100.254"
sntp server "192.168.100.38"
sntp server "192.168.100.39"
clock summer-time recurring EU offset 60
time-range Schedule-1
exit
time-range Schedule-2
exit
username "admin" password XXX level 15 encrypted
no username guest
dot1x system-auth-control monitor
aaa authentication dot1x default radius
authorization network radius
dot1x dynamic-vlan enable
voice vlan
radius accounting mode
radius server host auth "172.24.43.43" name "freeradius-virt"
radius server key auth "172.24.43.43" encrypted XXX
radius server primary "172.24.43.43"
radius server attribute 4 172.24.1.11
radius server host acct "172.24.43.43" name radius-virt
radius server key acct "172.24.43.43" encrypted XXX
radius server host acct "172.24.2.144" name freeradius-virt-2
radius server key acct "172.24.2.144" encrypted XXX
line console
exit
line telnet
exit
line ssh
exit
port-channel linktrap TRK 1
port-channel linktrap TRK 2
[…]
snmp-server sysname "here"
snmp-server location "Redroom"
snmp-server contact "me@mail.tld"
!
port-security
interface 1
mtu 9000
vlan participation exclude 3-4
vlan participation include 2,43
vlan tagging 2,43
exit
interface 2
voice vlan 2
dot1x pae supplicant
mtu 9000
vlan acceptframe admituntaggedonly
vlan participation include 2,43
vlan tagging 2,43
exit

According to the documentation I have to enable the Administrative Mode. 

First I tried it in the GUI: Enable it, clicking on save and then on apply. Each time, when I click on "apply" the ssh server and also the webserver get a timeout. The only way to restart the switch is to pull the power cable. After I'm online again and logged in, I notice, that the Administrative Mode is disabled. When I don't use "save config" and I just use "apply" it also freezes. That's the reason why I tried to configure the switch via SSH:

(HPE Routing) (Config)#show dot1x

Administrative Mode............... Disabled
VLAN Assignment Mode.............. Enabled
Dynamic VLAN Creation Mode........ Enabled
Monitor Mode...................... Enabled
EAPOL Flood Mode.................. Disabled

(HPE Routing) (Config)#dot1x ?

dynamic-vlan		 Configure dot1x dynamic vlan creation parameters.
eapolflood		 Enable/Disable EAPOL flood support on the switch.
port-control		 Set the authentication mode on the specified port.
system-auth-control	 Enable/Disable authentication support on the
switch.
user			 Add/Remove user from the list with access to the
			 specified port.

I'm missing a way to enable the Administrative Mode with dot1x. 

Can you give me an advise?

Thx

7 REPLIES 7
Giulian
Occasional Advisor

Re: HP 1920S 48G 4SFP ( JL382A) and 802.1X

Did you find a way to this mistake ?

0815random
Occasional Collector

Re: HP 1920S 48G 4SFP ( JL382A) and 802.1X

@Giulian wrote:

Did you find a way to this mistake ?


I'm not sure, what you want to say. 

Right now, I wasn't able to solve the described mistake below . How can I enable the 802.1X settings? When I try it in the steps described below, it's not possible to enable it on the switch.

Do you have a similar problem or can help me to solve my problem?

Giulian
Occasional Advisor

Re: HP 1920S 48G 4SFP ( JL382A) and 802.1X

Yes i have same and i want to activate 802.1x like you

Giulian
Occasional Advisor

Re: HP 1920S 48G 4SFP ( JL382A) and 802.1X

you need to use CLI, thos model is particular cause you can t activate telnet or SSH in GUI mode so you need to follow this :

 

Re: How to Enable Telnet and SSH on HPE 1920s OfficeConnect
  1. download startup-config from GUI
  2. edit it, insert ip telnet server enable before configure
  3. upload it as startup-config in GUI
  4. reboot switch
  5. telnet into it with configured admin account and then enter sequence of commands to generate crypto keys and run ssh daemon
    enable
    configure
    crypto key generate rsa
    crypto key generate dsa
    exit
    ip ssh server enable
    ip ssh protocol 2
    write memory confirm
    quit
  6.  use ssh (look at step 5) and disable telnet if you need like
    enable
    no ip telnet server enable
    write memory confirm
    quit

I guess you can enable SSH for all recent OfficeConnect models 1820 or 1920S or 1950 the same way!
It would be more secure to use public key auth instead pwd auth, but theres no aaa authentication ssh login public-key in these switches. 

Giulian
Occasional Advisor

Re: HP 1920S 48G 4SFP ( JL382A) and 802.1X

I find the good solution

You need to put  "Force Authorized" on controle mode value for the port where you are connected for manage you re switch and after you can activate administrative mode for  the switch.

if you don t do that before the port where you are connect wait for an radius authentication so if you can t have you lost connection.

 

0815random
Occasional Collector

Re: HP 1920S 48G 4SFP ( JL382A) and 802.1X



@Giulian wrote:

you need to use CLI, thos model is particular cause you can t activate telnet or SSH in GUI mode so you need to follow this :

yes I know I already did that.

@Giulian wrote:

I find the good solution

You need to put  "Force Authorized" on controle mode value for the port where you are connected for manage you re switch and after you can activate administrative mode for  the switch.

if you don t do that before the port where you are connect wait for an radius authentication so if you can t have you lost connection.


Where did you changed that in the GUI or where via SSH? I don't have the full GUI in my mind.

The network design:

I run a Freeradius and want to test with user+password. The switch is right now added into the local DNS and have a static ip-adress. I use a laptop for testing, which should be a supplicant on one port. On other ports its not active and I have network access but not as desired.

Thx for your answer!

Giulian
Occasional Advisor

Re: HP 1920S 48G 4SFP ( JL382A) and 802.1X

On GUI

SECURITY / Port Access Control /

Select Port 1 for example and then EDIT

Authenticator Options / Choose Force Authorized