HPE Aruba Networking & ProVision-based
1829455 Members
1320 Online
109992 Solutions
New Discussion

Re: Unable to do dual authentication

 
rventura
Frequent Advisor

Unable to do dual authentication

Hello,

 

I am setting up port-access and i am having issues being able to do 802.1x user-mode and Web auth at the same time.

 

If i configure the client PC connecting to the port with the 802.1x credentials, it works fine, however, once i remove those settings, it should fall back to Web auth, but it never does.

 

If i remove the authenticator, web auth works just fine..

 

How can i enable both and make them work fine?

aaa authentication port-access chap-radius
aaa port-access authenticator 25
aaa port-access authenticator 25 auth-vid 60
aaa port-access authenticator 25 unauth-vid 70
aaa port-access authenticator 25 client-limit 5
aaa port-access authenticator active
aaa port-access web-based 25
aaa port-access web-based 25 redirect-url "http://google.com"
aaa port-access web-based 25 auth-vid 60
aaa port-access web-based 25 unauth-vid 70
aaa port-access web-based dhcp-addr 192.168.70.0 255.255.255.0

 Thanks

5 REPLIES 5
Chrisd131313
Trusted Contributor

Re: Unable to do dual authentication

Hi,

 

After you remove the 802.1x credentials from the PC have you been re-initialising the port to perform the authentication process again? or rebooting the PC.

 

aaa port-access authenticator <port-list > initialize

 

I am not to sure if it will fail back to web-based unless you adjust the authentiation timers to re-autheticate in a shorter timeframe, I was testing this with 802.1x & NPS, but for the port-access status to update I had to reboot the PC.

 

HTH

-----------------------------------------------------

Don't forget to mark a post resolved if your question was answered.
rventura
Frequent Advisor

Re: Unable to do dual authentication

Ok,

 

So i left the default for all the 802.1x authenticator and the web-auth, which is 0 meaninig it is disabled. 

 

I guess i ll have to change the "reauth-period" for web-auth to 300 s. 

 

But will changing this will for re-authentication to already connected and authorized clients?? I cant imagine having a client getting dropped out of the authorized vlans and directed to the web page to enter credentials again.

 

Any ideas?

 

Thanks.

rventura
Frequent Advisor

Re: Unable to do dual authentication

Ok, well i was testing it out with OS X and once OS X is authenticated via web auth, it seems that it will not authenticate a second time, at least for an unknown period of time. I did try changing the different params for reauthentication and time outs, etc and none of it worked.

 

Maybe some sort of bug..? i dont know. Now, if the OS X machine has a 802.1X profile, it can authenticate with no problems at all even after moving ports and even switches. This is not possible with web auth on OS X.

 

Windows clients do work as expected.

 

Thanks for looking.

Chrisd131313
Trusted Contributor

Re: Unable to do dual authentication

I did a spot of further digging and came across this in the E2620 manual. It could be that it is not the same as trhe model of switch you are using, but I would be reasonably confident that it is...

 

The switch supports concurrent 802.1X ,Web and MAC authentication operation on a port (with up to 2 clients allowed). However, concurrent operation of Web and MAC authentication with other types of authentication on the same port is not supported. That is, the following authentication types are mutually exclusive on a given port:

 

• Web and/or MAC Authentication (with or without 802.1X)

• MAC lockdown

• MAC lockout

• Port-Security

 

How I read this is that you can not use concurrent authentication methods unless it is MAC and Web, not 802.1x and Web.

 

HTH.

-----------------------------------------------------

Don't forget to mark a post resolved if your question was answered.
rventura
Frequent Advisor

Re: Unable to do dual authentication

Well the docs for the 2910al say:

* Support for concurrent use of 802.1X and either Web authentication or MAC authentication on the same port.

 

So it is supported for 802.1X and Web or 802.1X and MAC, but not Web and MAC at the same time.