HPE Community
HPE Aruba Networking & ProVision-based
1826614 Members
2782 Online
109695 Solutions
New Discussion

Re: HP Procurve AAA authentication to RADIUS not working

 
zaidflodnar
Visitor

‎09-14-2017 10:45 PM

‎09-14-2017 10:45 PM

HP Procurve AAA authentication to RADIUS not working

Hi Guys

 

Nedd Help Here. I have a HP Procurve switch J9627A 2620-48-PoEP Switch with  Software revision RA.15.13.0014 and HP Procurve switch J9776A 2530-24G Switch with Software revision YA.15.12.0007, that will authenticate to RADIUS (Windows 2012 NPS) but not working. We already created a group for this in the AD and registered the NPS to the domain. Below is my configuration.

Windows Server 2012 NPS Configuration:

- Radius Client =

         Settings:

                Friendlyname (HO19xxx),  IP (172.x.x.31),  Shared secret Manual (Ourkeysecret)

         Advance:              

               Vendor Name (RADIUS Standard), Additional Options (all unchecked)

- Connection Request Policy=

      Conditions:

                      Domain\NetAd, NAS Port Type = VPN, Client Friendlyname (HO19xxx), Client IP (172.x.x.31)

- Nework Policies =  

        Overview:

             Policy enabled (checked), Grant Access, Type of network access server (Unspecified)

        Conditions:

              Conditions = Domain\NetAd, NAS port type (VPN), Authentication Type (PAP)

         Constraints:

               Authentication Methods = All unchecked expect for "Unecrypted authentication (PAP, SPAP)

               Idle timeout, Session Timeout, Caller Station ID, Day and Time restrict are as is

               NAS Port Type = VPN 

        Settings:

              Standard = Service-Type (Administrative)

              Vendor Specific = None

              NAP Enforcement = Disabled Auto-remediation 

              Extended State = Blank

              Multilink & BW allocation protocol = Multilink (Server settings determine usage) BAP (50% 2 mins)

              IP Filters = None

              Encryption = All is checked

              IP Settings = Server settings determine IP Add Assignment

 

HP Procurve 2620 & 2530 Configuration:

radius-server host 192.x.x197 key Ourkeysecret
radius-server host timeout 10

aaa authentication login privilege-mode
aaa authentication ssh login radius local
aaa authentication ssh enable radius local
aaa accounting commands stop-only radius
aaa accounting update periodic 10
aaa accounting exec start-stop radius
aaa accounting network start-stop radius
aaa accounting system start-stop radius
aaa accounting session-id common

 

The aaa accounting is working as it sends logs to the RADIUS Server but the authentication parts is now working. I've tried all the combinations of:

-Authentication Types

- NAS Port Type (Ethernet and VPN)

- Ignore user account dial-in properties (check and uncheck)

- Radius Attribute Standard = Frame-protocol (PPP), Service-Type (Login and Administrative), 

- Tried Vendor Specific Attributes for Cisco-AVPair

But still it doesn't work...

I'm guessing that it has something to do with VSA (Vendor Specific Attributes), but i have no idea how to configure it. Hope you could help me guys.

Thanks in advance

 

 

0 Kudos
3 REPLIES 3
zaidflodnar
Visitor

‎09-16-2017 05:19 PM

‎09-16-2017 05:19 PM

Re: HP Procurve AAA authentication to RADIUS not working

Hope some one can help me on this pls
0 Kudos
zaidflodnar
Visitor

‎09-19-2017 06:15 AM

‎09-19-2017 06:15 AM

Re: HP Procurve AAA authentication to RADIUS not working

This is what i saw on the wireshark packet capture when Radius Client and Radius Server are having conversation.

Radius Client [ACCESS-REQUEST]
username(1): my_username
user-password(2): encrypted
NAS-IP-Address(4): 172.x.x31
NAS-Identifier(32): HO19xxx
NAS-Port-type(61): Virtual(5)
Service-type(6): Exec-user(7)
Message-authenticator(80): <hashes>
vendor-specific(26) v=Microsoft(311)
MS-RAS-Vendor(9): 11
Calling-station-id(31): 172.x.x.166

Radius Server [ACCESS-REJECT]

----------------------------------------------------

I've mirror the config on the network policies conditions and constraints, username and passoword are working on AD

CONDITIONS:
username: my_username
user-password: my_password
NAS-IP-Address: 172.x.x31
NAS-Identifier: HO19xxx
NAS-Port-type: VPN
Service-type: NAS-Prompt user
Message-authenticator: PAP
Client Vendor: Microsoft
MS-RAS-Vendor: 11
Calling-station-id(31): 172.x.x.166

CONSTRAINTS:
Authentication: PAP
NAS Port Type: VPN

SETTINGS:
Radius Attributes = Standard: Service Type: Administrative
.......all other settings are default

 

Am i missing something of configured wrong. Please help me on this guys

 

Thanks

0 Kudos
zaidflodnar
Visitor

‎09-19-2017 06:52 PM

‎09-19-2017 06:52 PM

Re: HP Procurve AAA authentication to RADIUS not working

Any help guys?!!... Please

Tnx

 

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.