Aruba & ProVision-based
1747988 Members
4405 Online
108756 Solutions
New Discussion

HP ProCurve 2520G-8-PoE RADIUS MAC-Adress Authentication doesn't work

 
gabeB
Collector

HP ProCurve 2520G-8-PoE RADIUS MAC-Adress Authentication doesn't work

Dear HP-Community

 

For testing, I've set up a little VLAN with an HP ProCurve 2520G-8-PoE ,a Proliant DL380R G4 with Windows Server 2008 system and a NPS for the RADIUS authentication  and a normal windows 7 client for testing the authentication. 

 

Now I have followed the "How to configure MAC authentication on a ProCurve switch"-Manual for configuring the right parameters. The only difference is that I also enabled the EAP-MSCHAPv2 encryption, because Windows 7 doesn't support CHAP.

 

Unfortunately my NPS's blocking the client. The error-messages says, that the username and password are wrong:

er Netzwerkrichtlinienserver verweigerte einem Benutzer den Zugriff.

Wenden Sie sich an den Administrator des Netzwerkrichtlinienservers, um weitere Informationen zu erhalten.

Benutzer:
	Sicherheits-ID:			NULL SID
	Kontoname:				009c021b1458
	Kontodomäne:				UEB
	Vollqualifizierter Kontoname:		UEB\00-9c-02-1b-14-58

Clientcomputer:
	Sicherheits-ID:			NULL SID
	Kontoname:				-
	Vollqualifizierter Kontoname:		-
	Betriebssystemversion:			-
	Empfänger-ID:				84-34-97-43-5f-9d
	Anrufer-ID:				00-9c-02-1b-14-58

NAS:
	NAS-IPv4-Adresse:			192.168.210.51
	NAS-IPv6-Adresse:			-
	NAS-ID:					UEBSW01
	NAS-Porttyp:				Ethernet
	NAS-Port:				3

RADIUS-Client:
	Clientanzeigenname:				UEBSW01
	Client-IP-Adresse:			192.168.210.51

Authentifizierungsdetails:
	Name der Verbindungsanforderungsrichtlinie:	GABRIEL
	Netzwerkrichtlinienname:		-
	Authentifizierungsanbieter:		Windows
	Authentifizierungsserver:		UEBSRV.ueb.lokal
	Authentifizierungstyp:		MD5-CHAP
	EAP-Typ:			-
	Kontositzungs-ID:		-
	Protokollierungsergebnisse:			Die Kontoinformationen wurden in die lokale Protokolldatei geschrieben.
	Ursachencode:			16
	Ursache:				Authentifizierungsfehler aufgrund der Nichtübereinstimmung von Benutzeranmeldeinformationen. Der angegebene Benutzername ist keinem vorhandenen Benutzerkonto zugeordnet, oder das Kennwort war falsch.

 The message is in german, but i hope you get the important information.

 

I 've  also tried it with different syntaxes, but nothing helped.
 
Do you perhaps have a solution?
 
Kind regards
 
gabeBU
2 REPLIES 2
bjulin
Occasional Advisor

Re: HP ProCurve 2520G-8-PoE RADIUS MAC-Adress Authentication doesn't work

 

EAP-MSCHAPv2 is for 802.1x, not for mac-address based authentication.

 

Given the light level of security if you are doing pure mac-based authentication, it would be silly of any RADIUS server to not support CHAP or basic RADIUS authentication.  It's not like, if you're going to allow anyone who can spoof a MAC address on, you really care that their MAC address and its hash are encryped across the wire from the NAS to the AAA server, and if you did, you'd tunnel it through IPSEC before it hot the Internet anyway.  My suggestion might be to consider using a real RADIUS server like FreeRADIUS or radiator, unless you have a compelling reason to use NPS.

 

 

gabeBU
Occasional Contributor

Re: HP ProCurve 2520G-8-PoE RADIUS MAC-Adress Authentication doesn't work

The reason is, that i have to use the NPS, these are the specifications of my boss.  

Also, i HAVE enabled CHAP AND EAP-MSCHAPv2 both at the same time.