- Community Home
- >
- Networking
- >
- Switching and Routing
- >
- HPE Aruba Networking & ProVision-based
- >
- Re: Unable to do dual authentication
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Forums
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-31-2012 08:45 AM
07-31-2012 08:45 AM
Unable to do dual authentication
Hello,
I am setting up port-access and i am having issues being able to do 802.1x user-mode and Web auth at the same time.
If i configure the client PC connecting to the port with the 802.1x credentials, it works fine, however, once i remove those settings, it should fall back to Web auth, but it never does.
If i remove the authenticator, web auth works just fine..
How can i enable both and make them work fine?
aaa authentication port-access chap-radius aaa port-access authenticator 25 aaa port-access authenticator 25 auth-vid 60 aaa port-access authenticator 25 unauth-vid 70 aaa port-access authenticator 25 client-limit 5 aaa port-access authenticator active aaa port-access web-based 25 aaa port-access web-based 25 redirect-url "http://google.com" aaa port-access web-based 25 auth-vid 60 aaa port-access web-based 25 unauth-vid 70 aaa port-access web-based dhcp-addr 192.168.70.0 255.255.255.0
Thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-01-2012 02:10 AM
08-01-2012 02:10 AM
Re: Unable to do dual authentication
Hi,
After you remove the 802.1x credentials from the PC have you been re-initialising the port to perform the authentication process again? or rebooting the PC.
aaa port-access authenticator <port-list > initialize
I am not to sure if it will fail back to web-based unless you adjust the authentiation timers to re-autheticate in a shorter timeframe, I was testing this with 802.1x & NPS, but for the port-access status to update I had to reboot the PC.
HTH
Don't forget to mark a post resolved if your question was answered.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-01-2012 06:59 AM
08-01-2012 06:59 AM
Re: Unable to do dual authentication
Ok,
So i left the default for all the 802.1x authenticator and the web-auth, which is 0 meaninig it is disabled.
I guess i ll have to change the "reauth-period" for web-auth to 300 s.
But will changing this will for re-authentication to already connected and authorized clients?? I cant imagine having a client getting dropped out of the authorized vlans and directed to the web page to enter credentials again.
Any ideas?
Thanks.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-01-2012 12:33 PM
08-01-2012 12:33 PM
Re: Unable to do dual authentication
Ok, well i was testing it out with OS X and once OS X is authenticated via web auth, it seems that it will not authenticate a second time, at least for an unknown period of time. I did try changing the different params for reauthentication and time outs, etc and none of it worked.
Maybe some sort of bug..? i dont know. Now, if the OS X machine has a 802.1X profile, it can authenticate with no problems at all even after moving ports and even switches. This is not possible with web auth on OS X.
Windows clients do work as expected.
Thanks for looking.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-02-2012 02:38 AM
08-02-2012 02:38 AM
Re: Unable to do dual authentication
I did a spot of further digging and came across this in the E2620 manual. It could be that it is not the same as trhe model of switch you are using, but I would be reasonably confident that it is...
The switch supports concurrent 802.1X ,Web and MAC authentication operation on a port (with up to 2 clients allowed). However, concurrent operation of Web and MAC authentication with other types of authentication on the same port is not supported. That is, the following authentication types are mutually exclusive on a given port:
• Web and/or MAC Authentication (with or without 802.1X)
• MAC lockdown
• MAC lockout
• Port-Security
How I read this is that you can not use concurrent authentication methods unless it is MAC and Web, not 802.1x and Web.
HTH.
Don't forget to mark a post resolved if your question was answered.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-02-2012 07:00 AM
08-02-2012 07:00 AM
Re: Unable to do dual authentication
Well the docs for the 2910al say:
* Support for concurrent use of 802.1X and either Web authentication or MAC authentication on the same port.
So it is supported for 802.1X and Web or 802.1X and MAC, but not Web and MAC at the same time.