HPE Community
IMC
1834629 Members
3197 Online
110069 Solutions
New Discussion

Dot1x Authentication fail E63018

 
Pingkung
Occasional Contributor

‎04-08-2016 04:49 AM

‎04-08-2016 04:49 AM

Dot1x Authentication fail E63018

Hi all

first. i'm sory for my english is no good

I configured iMC (7.2) witch UAM and already sync user from ldap server and ldap policy.

when client authentication to switch log of iMC present in picture 1

and this is configured on switch hp 5500

dot1x
dot1x timer handshake-period 30
dot1x authentication-method eap
dot1x domain-delimiter @\

radius scheme accessuser
server-type extended
primary authentication xx.xx.xx.xx key cipher -
primary accounting xx.xx.xx.xx key cipher -
timer response-timeout 5
user-name-format without-domain
nas-ip xx.xx.xx.xx
retry 5
accounting-on enable

domain lab
authentication default radius-scheme mac-authen
authorization default radius-scheme mac-authen
accounting default radius-scheme mac-authen
authentication login radius-scheme mgmt-switch local
authorization login radius-scheme mgmt-switch local
accounting login radius-scheme mgmt-switch local
authentication lan-access radius-scheme accessuser
authorization lan-access radius-scheme accessuser
accounting lan-access radius-scheme accessuser
access-limit disable
state active
idle-cut disable
self-service-url disable

interface GigabitEthernet1/0/1
port link-mode bridge
port link-type trunk
port trunk permit vlan 1 743
port trunk pvid vlan 743
voice vlan 104 enable
poe enable
port-security max-mac-count 3
port-security intrusion-mode disableport-temporarily
undo dot1x handshake
undo dot1x multicast-trigger
dot1x
#

 

but if i configured ldap derver with add prefix domain/ it can be done. but i want to delimiter domain

thank you  and please help

0 Kudos
3 REPLIES 3
NeilR
Esteemed Contributor

‎04-08-2016 06:25 PM

‎04-08-2016 06:25 PM

Re: Dot1x Authentication fail E63018

OK - first I'm running 7.1 so there may be slight difference.

Sorry but your english is unclear, but I think you want to have login be user@domain.com, correct? Aplogoies if I misunderstand.

Looks like your switch has sent has sent user@domain.com - that is login name

But your LDAP has brought over just user as account name. So you need to remove @domain.com

I don't think your switch config is doing that - even though it looks like you have tried. Check with wireshark packets sent to imc.

To remove @domain.com in imc go to User > User Access Policy > LDAP Service > LDAP Server > your server

for account format use Remove Suffix and delimter @

You can't edit current setup so create new.

Hope I understand correctly and this helps you.

0 Kudos
Pingkung
Occasional Contributor

‎04-10-2016 09:36 AM

‎04-10-2016 09:36 AM

Re: Dot1x Authentication fail E63018

thank you for reply @NeilR

I want to remove @domain.com  on my switch before send to imc by use this command

dot1x domain-delimiter @\

but when switch send username to iMC its include @domain.com 

so how can i remove @domain.com before sending to iMC

sory for may English is not clear.

0 Kudos
NeilR
Esteemed Contributor

‎04-11-2016 10:06 AM

‎04-11-2016 10:06 AM

Re: Dot1x Authentication fail E63018

No worries on english - I understand you wish to remove @domain.com from userid sent from switch to imc

My apologies as I have all my 802.1x users running on Procurve switch not comware. We get full user name.

My comware is limited to server side switches, but looking at documentation I have, I don't see info on dot1x delimiter for my versions

But they do say as pre-requisite to "Configure an ISP domain and AAA scheme (local or RADIUS authentication) for 802.1X users" and I do not see that in your configuration - only for MAC authentication. So you might look at that.

My comment above was on how to remove @domain.com AFTER it got sent to imc.

If you want to remove BEFORE it is sent to imc then the comware configuration is the issue. My comware knowldege is too limited to help you. So Sorry.

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.