Comware Based
cancel
Showing results for 
Search instead for 
Did you mean: 

Re: 802..1X Fail Comware 5.20.99 Switch HP 1920

 
SOLVED
Go to solution
Highlighted
Occasional Visitor

802..1X Fail Comware 5.20.99 Switch HPE 1920

Hi, 

I have been having trouble configuring the dynamic vlan on the 5.20.99 comware switches, I'm authenticating on an NPS. Below are the settings:

#
dot1x
dot1x quiet-period
dot1x timer quiet-period 30
dot1x retry 3
dot1x timer handshake-period 30
dot1x authentication-method eap

#

 

radius scheme my.domain
primary authentication myserver1 1645
primary accounting myserver1 1646
key authentication cipher mypass
key accounting cipher mypass
user-name-format without-domain
nas-ip myip
#
domain my.domain
authentication lan-access radius-scheme my.domain
accounting lan-access radius-scheme my.domain
access-limit disable
state active
idle-cut disable
self-service-url disable

#####

interface GigabitEthernet1/0/34
port auto-power-down
stp edged-port enable
dot1x guest-vlan 300
dot1x auth-fail vlan 300
dot1x critical vlan 300
dot1x critical recovery-action reinitialize
undo dot1x handshake
dot1x mandatory-domain my.domain
dot1x

###########

When authenticating on the computer, the NPS log shows the following:

Network Policy Server granted access to a user.

User:
Security ID: NULL SID
Account Name: myuser
Account Domain: -
Fully Qualified Account Name: -

Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: -
Calling Station Identifier: 00-XX-XX-XX-XX-27

NAS:
NAS IPv4 Address: myip
NAS IPv6 Address: -
NAS Identifier: SWCORE-GP-CS03-L302
NAS Port-Type: Ethernet
NAS Port: 16916481

RADIUS Client:
Client Friendly Name: SW-GPSP-CORE02
Client IP Address: 10.120.0.16

Authentication Details:
Connection Request Policy Name: Requisicao_Redirecionamento
Network Policy Name: -
Authentication Provider: RADIUS Proxy
Authentication Server: myip
Authentication Type: -
EAP Type: -
Account Session Identifier: 31323030323035313632306134303130
Logging Results: Accounting information was written to the local log file.

Quarantine Information:
Result: -
Session Identifier: 

####

Even though NPS is successful, the computer remains with authentication failure. I have this same configuration on comware 3 switches and work normally.

The only additional configuration that exists in comware 3 is vlan-assignment-mode string, however this configuration is unavailable in comware 5.20.99

Can you help me?

2 REPLIES 2
Solution

Re: 802..1X Fail Comware 5.20.99 Switch HP 1920

Hello, 

Please in the domain configuration, configure your radius server also as authorization source for LAN-access. This should look like this in the configuration

#
domain my.domain
authentication lan-access radius-scheme my.domain

authorization lan-access radius-scheme my.domain

accounting lan-access radius-scheme my.domain
access-limit disable
state active
idle-cut disable
self-service-url disable

On the interface you should make sure that MAC VLAN is enabled, otherwise a dynamic RADIUS VLAN cannot be assigned. MAC VLAN requires also the port to be in link-mode hybrid.

 

 

I am an HPE employee

Accept or Kudo


Highlighted
Occasional Visitor

Re: 802..1X Fail Comware 5.20.99 Switch HP 1920

Adding lan-access radius-scheme my.domain authorization solved my problem.

Thank you very much.