HPE Community
Communications and Wireless
1819791 Members
3245 Online
109607 Solutions
New Discussion юеВ

Procurve 420 WAP - Mac auth with radius / dhcp

 
Randy Cosby
Occasional Contributor

тАО03-27-2006 07:29 AM

тАО03-27-2006 07:29 AM

Procurve 420 WAP - Mac auth with radius / dhcp

I have a 420 WAP set up with the latest firmware (2.1.3). I'm using security suite 8 [WPA-PSK(TKIP-AES) (Mcast:TKIP, Ucast:TKIP+AES)] with a preshared key. The client can connect fine to this, and my DHCP server gives the client an IP address.

However, if I also turn on radius mac authentication, I have problems. My radius server authenticates the user fine, but I never get to pull up a dhcp IP address from my DHCP server.

I can't find any documentation on what radius reply attributes I need to be sending to the WAP to show that they can pass traffic. We are sending an "Access-Accept" back to the WAP. What else do I need to send back?

I'm using Radiator radius server.

My users file line looks like this:

009096XXXXXX User-Password = 009096XXXXXX

I eventually (after a couple minutes) see the station on the AP status page, but I do not get any accounting packets back. The status page shows the key type as static WEP, not WPA. I cannot pass traffic, however.

If I go back and set up the security to none, I get the same results. It seems I must be missing something in the radius reply that the AP is waiting for. Any help would be appreciated.





0 Kudos
4 REPLIES 4
Matt Hobbs
Honored Contributor

тАО03-27-2006 10:30 AM

тАО03-27-2006 10:30 AM

Re: Procurve 420 WAP - Mac auth with radius / dhcp

Hi Randy,

The Management & Configuration guide on page 7-10 says that RADIUS MAC authentication does not work with WPA(802.lx) or WPA-PSK. It only works with Static or Dynamic WEP.

It doesn't say anything about setting the security to none though.. I would have assumed that would work.

Since you have the RADIUS server already, I would recommend you move to WPA(802.1x) only if possible, the mac authentication can easily be beaten if someone is really trying.

Don't forget to assign points to posts that have helped you.

Matt
0 Kudos
Randy Cosby
Occasional Contributor

тАО03-28-2006 03:15 AM

тАО03-28-2006 03:15 AM

Re: Procurve 420 WAP - Mac auth with radius / dhcp

Thanks Matt.

We are trying to find a way to get the most security while avoiding the need to distribute / install certificates to the end users. From what I've read, that should be possible with 802.1x on some platforms, but not Windows. Am I mistaken?

Any other insights into why mac auth would not work with Radius? Other reply attributes I need to return?
0 Kudos
Brook Miller
Advisor

тАО03-28-2006 08:50 AM

тАО03-28-2006 08:50 AM

Re: Procurve 420 WAP - Mac auth with radius / dhcp

You can use 802.1x authentication without certificates, using PEAP with MS-CHAP V2.

You need to install a certificate on the RADIUS server only for this.
0 Kudos
Randy Cosby
Occasional Contributor

тАО03-28-2006 08:54 AM

тАО03-28-2006 08:54 AM

Re: Procurve 420 WAP - Mac auth with radius / dhcp

Can you clarify - does it have to be a certain type of certificate? My radius server came with some sample certificates, and instructions for installing some on the client computers. If I use a recognized certificate authority, would those work automatically?

Also any more hints would be appreciated on why mac auth doesn't work in unsecure mode. Any pointers to radius reply attributes would help.

thanks again,

Randy
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.