HPE Community
Comware Based
1822497 Members
2441 Online
109642 Solutions
New Discussion

General setup of FreeRADIUS with 3COM SuperStack® 4 Switch 5500G-EI

 
nklein
Occasional Visitor

‎06-20-2018 05:06 AM

‎06-20-2018 05:06 AM

General setup of FreeRADIUS with 3COM SuperStack® 4 Switch 5500G-EI

Hello,

I am currently trying to establish a setup of a FreeRADIUS-Server together with an  3COM SuperStack® 4 Switch 5500G-EI Switch. I want to try to configure multiple things to check the capabilities of RADIUS, for example SSH Authentication to the switch with RADIUS or Port Based Network Access Control with 802.1x. 

First thing, my RADIUS-Server. It is FreeRADIUS 3.0.13 on CentOS Linux release 7.5.1804 (Core). As management interface I am using Daloradius version 0.9-9. I think my radius setup is fine so far, I added some clients and users and tested the connection with the NTRadPing Test Utility (https://www.novell.com/coolsolutions/tools/14377.html):

My RADIUS debug output prints me the following when I send an authentication request (A screenshot should be attached to this post): 

(0) Sent Access-Accept Id 4 from 10.1.22.135:1812 to 10.1.100.103:63899 length 0
(0) Finished request

So, looks like it is working.

Now my problem is, how do I configure the switch? I have read multiple sections from the official documentation (http://h20628.www2.hp.com/km-ext/kmcsdirect/emr_na-c02583472-1.pdf). I have tried to apply the sample configurations like the one from page 267 without success. 

If I go through the steps like mentioned in the documentation and activate 802.x1 on a port, the device on that port just has no access to the network anymore. Sounds reasonable as I should have to authenticate first, If I try that with NTRadPing Test Utility, nothing ever reaches my RADIUS server.

I have created users, I have created radius schemes and domains and linked them. I created ACLs if they were needed for the configuration examples, but never my RADIUS-Server got any request from the switch.

I will post some configuration information below for the case that someone wants to have a look. 

<5500G-EI>display domain
0  Domain = geutebrueck
   State = Active
   Default Scheme : RADIUS Scheme = radius1
   Access-limit = Disable
   Vlan-assignment-mode = Integer
   Domain User Template:
   Idle-cut = Disable
   Self-service = Disable
   Messenger Time = Disable

1  Domain = system
   State = Active
   Default Scheme : Local
   Access-limit = Disable
   Vlan-assignment-mode = Integer
   Domain User Template:
   Idle-cut = Disable
   Self-service = Disable
   Messenger Time = Disable
SchemeName  =radius1                          Index=1    Type=standard
Primary Auth IP  =10.1.22.135      Port=1812
Primary Acct IP  =10.1.22.135      Port=1813
Auth Server Encryption Key= secret123
Acct Server Encryption Key= secret123
Accounting method = optional
Accounting-On packet disable, send times = 15 , interval = 3s
TimeOutValue(in second)=3 RetryTimes=3 RealtimeACCT(in minute)=12
Permitted send realtime PKT failed counts       =5
Retry sending times of noresponse acct-stop-PKT =500
nas-ip:Source-IP-address                        =N/A
Quiet-interval(min)                             =5
Username format                                 =without-domain
Data flow unit                                  =Byte
Packet unit                                     =1
calling_station_id format             in lowercase
Primary Auth IP  =10.1.22.135
  State(unit)=A(1)  (A:Acitve/B:Block)
Primary Acct IP  =10.1.22.135
  State(unit)=A(1)
<5500G-EI>display ssh user-information
 Username            Authentication-type  User-public-key-name  Service-type
 administrator       password             null                  stelnet
 switchadmin         password             null                  stelnet
[5500G-EI]display dot1x interface GigabitEthernet 1/0/10
 Global 802.1X protocol is enabled
 CHAP authentication is enabled
 DHCP-launch is disabled
 Handshake is enabled
 Proxy trap checker is disabled
 Proxy logoff checker is disabled
 EAD Quick Deploy is disabled

 Configuration: Transmit Period     30 s,  Handshake Period       15 s
                ReAuth Period     3600 s,  ReAuth MaxTimes        2
                Quiet Period        60 s,  Quiet Period Timer is disabled
                Supp Timeout        30 s,  Server Timeout         100 s
                Interval between version requests is 30s
                Maximal request times for version information is 3
                The maximal retransmitting times          2
 EAD Quick Deploy configuration:
                Acl-timeout:   30 m

 Total maximum 802.1x user resource number is 1024
 Total current used 802.1x resource number is 0

 GigabitEthernet1/0/10  is link-up
   802.1X protocol is enabled
   Proxy trap checker is disabled
   Proxy logoff checker is disabled
   Version-Check is disabled
   The port is an authenticator
   Authentication Mode is Auto
   Port Control Type is Mac-based
   ReAuthenticate is disabled
   Max number of on-line users is 256

   Authentication Success: 0, Failed: 0
   EAPOL Packets: Tx 3, Rx 0
   Sent EAP Request/Identity Packets : 3
        EAP Request/Challenge Packets: 0
   Received EAPOL Start Packets : 0
            EAPOL LogOff Packets: 0
            EAP Response/Identity Packets : 0
            EAP Response/Challenge Packets: 0
            Error Packets: 0

   Controlled User(s) amount to 0
[5500G-EI]display interface GigabitEthernet 1/0/10
 GigabitEthernet1/0/10 current state : UP
 IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 0022-57bf-c64a
 Media type is twisted pair, loopback not set
 Port hardware type is 1000_BASE_T
 1000Mbps-speed mode, full-duplex mode
 Link speed type is autonegotiation, link duplex type is autonegotiation
 Flow-control is not enabled
 The Maximum Frame Length is 9216
 Broadcast MAX-ratio: 100%
 Unicast MAX-ratio: 100%
 Multicast MAX-ratio: 100%
 Allow jumbo frame to pass
 PVID: 1
 Mdi type: auto
 Port link-type: access
  Tagged   VLAN ID : none
  Untagged VLAN ID : 1
 Last 300 seconds input:  249 packets/sec 16073 bytes/sec
 Last 300 seconds output:  1201 packets/sec 1490265 bytes/sec
 Input(total):  2967887 packets, 190970349 bytes
         276 broadcasts, 2400 multicasts, 0 pauses
 Input(normal):  - packets, - bytes
         - broadcasts, - multicasts, - pauses
 Input:  0 input errors, 0 runts, 0 giants,  - throttles, 0 CRC

Any help is appreciated and I will deliver all requested information if possible,

greetings,

nklein

 

 

1 person had this problem.
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.