HPE Community
Comware Based
1752809 Members
6158 Online
108789 Solutions
New Discussion

802..1X Fail Comware 5.20.99 Switch HPE 1920

 
SOLVED
Go to solution
BarretoEric
Occasional Visitor

‎03-05-2020 12:01 PM - last edited on ‎03-08-2020 08:06 AM by

‎03-05-2020 12:01 PM - last edited on ‎03-08-2020 08:06 AM by

802..1X Fail Comware 5.20.99 Switch HPE 1920

Hi, 

I have been having trouble configuring the dynamic vlan on the 5.20.99 comware switches, I'm authenticating on an NPS. Below are the settings:

#
dot1x
dot1x quiet-period
dot1x timer quiet-period 30
dot1x retry 3
dot1x timer handshake-period 30
dot1x authentication-method eap

#

 

radius scheme my.domain
primary authentication myserver1 1645
primary accounting myserver1 1646
key authentication cipher mypass
key accounting cipher mypass
user-name-format without-domain
nas-ip myip
#
domain my.domain
authentication lan-access radius-scheme my.domain
accounting lan-access radius-scheme my.domain
access-limit disable
state active
idle-cut disable
self-service-url disable

#####

interface GigabitEthernet1/0/34
port auto-power-down
stp edged-port enable
dot1x guest-vlan 300
dot1x auth-fail vlan 300
dot1x critical vlan 300
dot1x critical recovery-action reinitialize
undo dot1x handshake
dot1x mandatory-domain my.domain
dot1x

###########

When authenticating on the computer, the NPS log shows the following:

Network Policy Server granted access to a user.

User:
Security ID: NULL SID
Account Name: myuser
Account Domain: -
Fully Qualified Account Name: -

Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: -
Calling Station Identifier: 00-XX-XX-XX-XX-27

NAS:
NAS IPv4 Address: myip
NAS IPv6 Address: -
NAS Identifier: SWCORE-GP-CS03-L302
NAS Port-Type: Ethernet
NAS Port: 16916481

RADIUS Client:
Client Friendly Name: SW-GPSP-CORE02
Client IP Address: 10.120.0.16

Authentication Details:
Connection Request Policy Name: Requisicao_Redirecionamento
Network Policy Name: -
Authentication Provider: RADIUS Proxy
Authentication Server: myip
Authentication Type: -
EAP Type: -
Account Session Identifier: 31323030323035313632306134303130
Logging Results: Accounting information was written to the local log file.

Quarantine Information:
Result: -
Session Identifier: 

####

Even though NPS is successful, the computer remains with authentication failure. I have this same configuration on comware 3 switches and work normally.

The only additional configuration that exists in comware 3 is vlan-assignment-mode string, however this configuration is unavailable in comware 5.20.99

Can you help me?

0 Kudos
2 REPLIES 2
Emil_G
HPE Pro

‎03-06-2020 01:42 AM

‎03-06-2020 01:42 AM

Solution

Re: 802..1X Fail Comware 5.20.99 Switch HP 1920

Hello, 

Please in the domain configuration, configure your radius server also as authorization source for LAN-access. This should look like this in the configuration

#
domain my.domain
authentication lan-access radius-scheme my.domain

authorization lan-access radius-scheme my.domain

accounting lan-access radius-scheme my.domain
access-limit disable
state active
idle-cut disable
self-service-url disable

On the interface you should make sure that MAC VLAN is enabled, otherwise a dynamic RADIUS VLAN cannot be assigned. MAC VLAN requires also the port to be in link-mode hybrid.

 

 

I am an HPE employee

Accept or Kudo


BarretoEric
Occasional Visitor

‎03-06-2020 02:43 AM

‎03-06-2020 02:43 AM

Re: 802..1X Fail Comware 5.20.99 Switch HP 1920

Adding lan-access radius-scheme my.domain authorization solved my problem.

Thank you very much.

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.