HPE Community
HPE Aruba Networking & ProVision-based
1830579 Members
2940 Online
110015 Solutions
New Discussion

Supplicant configuration on a J9777A 2530-8G againg Network Policy Server

 
itatmunich
Visitor

‎08-22-2014 05:42 AM

‎08-22-2014 05:42 AM

Supplicant configuration on a J9777A 2530-8G againg Network Policy Server

Hi,

 

I am trying to configure a port on a J9777A switch as a supplicant for 802.1x authentication following this instruction.

 

ftp://ftp.hp.com/pub/networking/software/Security-Oct2005-59906024-Chap08-PortAccess%288021x%29.pdf

 

aaa port-access supplicant 1

aaa port-access supplicant identiy xxx

aaa port-access supplicant secret

 

The port on the main switch (connected to port 1 of the J9777A) is configured for eap-radius against a windows radius server (network policy server).

 

Connecting a Windows or Linux Client to the port on the main switch and giving the right username/password works.

 

Connecting the J9777A with the same username/password does not work. I get this error message on the domain controller:

 

Authentifizierungstyp:        EAP
    EAP-Typ:            -
    Kontositzungs-ID:        -
    Protokollierungsergebnisse:            Die Kontoinformationen wurden in die lokale Protokolldatei geschrieben.
    Ursachencode:            22
    Ursache:                Der Client konnte nicht authentifiziert werden, da der angegebene EAP (Extensible Authentication-Protokoll)-Typ vom Server nicht verarbeitet werden kann.

In english it could sound like

 

The client could not be authenticated  because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.

 

This sounds very clear so I tried to allow other eap protocols in the network policy like chap and so on but this did not help. Are there any ideas how to further investigate or solve the problem?

 

Thanks, Helge

0 Kudos
1 REPLY 1
itatmunich
Visitor

‎09-23-2014 06:45 AM

‎09-23-2014 06:45 AM

Re: Supplicant configuration on a J9777A 2530-8G againg Network Policy Server

I opened a case at HP and it was escalated to Level 3 Support - here is the solution / workaround that helped:

I tried the hotfix first, which wasn't appliable so I added the registy keys manually.

 

 

“Our switches use EAP-MD5 when acting as supplicant when the port-access “eap-radius” is set, and the customer is using a radius server that does not have native support for Md5-challenge.

 

Windows 2003/IAS, freeradius and some other radius server do natively support md5-challenge, however Microsoft removed this from windows Vista onwards.  

 

The good news is that we can (re)enable support for Md5 in windows 2008 and in windows 2008 R2.

 

Windows 2008:
  • Follow the steps to create the registry keys, as outlined here:

       http://support.microsoft.com/kb/922574/en-us

  • Reboot the server
  • Add Md5-challenge to the NPS policy

 

Windows 2008 R2: (customer can also use the same steps as above for windows 2008)
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.