Hewlett Packard Enterprise Community
Help
cancel
Turn on suggestions Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

HP ProCurve 2520G-8-PoE RADIUS MAC-Adress Authentication doesn't work

gabeB
Collector
‎09-25-2013 05:26 AM
‎09-25-2013 05:26 AM

HP ProCurve 2520G-8-PoE RADIUS MAC-Adress Authentication doesn't work

Dear HP-Community

 

For testing, I've set up a little VLAN with an HP ProCurve 2520G-8-PoE ,a Proliant DL380R G4 with Windows Server 2008 system and a NPS for the RADIUS authentication  and a normal windows 7 client for testing the authentication. 

 

Now I have followed the "How to configure MAC authentication on a ProCurve switch"-Manual for configuring the right parameters. The only difference is that I also enabled the EAP-MSCHAPv2 encryption, because Windows 7 doesn't support CHAP.

 

Unfortunately my NPS's blocking the client. The error-messages says, that the username and password are wrong:

er Netzwerkrichtlinienserver verweigerte einem Benutzer den Zugriff.

Wenden Sie sich an den Administrator des Netzwerkrichtlinienservers, um weitere Informationen zu erhalten.

Benutzer:
	Sicherheits-ID:			NULL SID
	Kontoname:				009c021b1458
	Kontodomäne:				UEB
	Vollqualifizierter Kontoname:		UEB\00-9c-02-1b-14-58

Clientcomputer:
	Sicherheits-ID:			NULL SID
	Kontoname:				-
	Vollqualifizierter Kontoname:		-
	Betriebssystemversion:			-
	Empfänger-ID:				84-34-97-43-5f-9d
	Anrufer-ID:				00-9c-02-1b-14-58

NAS:
	NAS-IPv4-Adresse:			192.168.210.51
	NAS-IPv6-Adresse:			-
	NAS-ID:					UEBSW01
	NAS-Porttyp:				Ethernet
	NAS-Port:				3

RADIUS-Client:
	Clientanzeigenname:				UEBSW01
	Client-IP-Adresse:			192.168.210.51

Authentifizierungsdetails:
	Name der Verbindungsanforderungsrichtlinie:	GABRIEL
	Netzwerkrichtlinienname:		-
	Authentifizierungsanbieter:		Windows
	Authentifizierungsserver:		UEBSRV.ueb.lokal
	Authentifizierungstyp:		MD5-CHAP
	EAP-Typ:			-
	Kontositzungs-ID:		-
	Protokollierungsergebnisse:			Die Kontoinformationen wurden in die lokale Protokolldatei geschrieben.
	Ursachencode:			16
	Ursache:				Authentifizierungsfehler aufgrund der Nichtübereinstimmung von Benutzeranmeldeinformationen. Der angegebene Benutzername ist keinem vorhandenen Benutzerkonto zugeordnet, oder das Kennwort war falsch.

 The message is in german, but i hope you get the important information.

 

I 've  also tried it with different syntaxes, but nothing helped.
 
Do you perhaps have a solution?
 
Kind regards
 
gabeBU
0 Kudos
2 REPLIES 2
bjulin
Occasional Advisor
‎10-23-2013 11:52 AM
‎10-23-2013 11:52 AM

Re: HP ProCurve 2520G-8-PoE RADIUS MAC-Adress Authentication doesn't work

 

EAP-MSCHAPv2 is for 802.1x, not for mac-address based authentication.

 

Given the light level of security if you are doing pure mac-based authentication, it would be silly of any RADIUS server to not support CHAP or basic RADIUS authentication.  It's not like, if you're going to allow anyone who can spoof a MAC address on, you really care that their MAC address and its hash are encryped across the wire from the NAS to the AAA server, and if you did, you'd tunnel it through IPSEC before it hot the Internet anyway.  My suggestion might be to consider using a real RADIUS server like FreeRADIUS or radiator, unless you have a compelling reason to use NPS.

 

 

0 Kudos
gabeBU
Occasional Contributor
‎10-29-2013 09:10 AM
‎10-29-2013 09:10 AM

Re: HP ProCurve 2520G-8-PoE RADIUS MAC-Adress Authentication doesn't work

The reason is, that i have to use the NPS, these are the specifications of my boss.  

Also, i HAVE enabled CHAP AND EAP-MSCHAPv2 both at the same time.

0 Kudos