HPE Community
IMC
1752790 Members
6298 Online
108789 Solutions
New Discussion юеВ

dot1x authentication

 
timaz
Advisor

тАО11-26-2014 02:22 AM

тАО11-26-2014 02:22 AM

dot1x authentication

Hi; I configured IMC with UAM (User Authentication Module) and did managed to add Access Users for device management through Telnet and SSH.

but I need to enable dot1x authentication, so whenever a user connects its computer to switch port, it requests 802.1x authentication to switch and then to IMC. for this yo work, I added an Access User with Access Class and relative Access policies and Access Scenarios; but it did not worked. I enabled 802.1x on a notebook with Win8, but how can I set the authenticating protocol on IMC among various options (PEAP, EAP-TLS, ...). if you have any idea about how to make 802.1x to work, let me know. tnx.

2 people had this problem.
0 Kudos
24 REPLIES 24
timaz
Advisor

тАО11-26-2014 07:48 AM

тАО11-26-2014 07:48 AM

Re: dot1x authentication

really isn't there anybody who have used HP IMC to authenticate users with 802.1x? I think authenticating users with IMC (as a RADIUS server) is one of important roles of IMC. anyway, if every one of you has experienced this, please let me know the details. do I need to install HP iNode on every client PC or I can use Windows built-in mechanism for 802.1x authentication? tnx.

0 Kudos
NeilR
Esteemed Contributor

тАО11-26-2014 09:36 AM - edited тАО11-26-2014 09:37 AM

тАО11-26-2014 09:36 AM - edited тАО11-26-2014 09:37 AM

Re: dot1x authentication

Yes I'm currently running it with both 802.1x and MAC authentication on every port. Not using inode.

 

Please review this post further back - 4 or 5 on the list: 

 

Computer account issue in IMC/UAM for 802.1x authentication

 

in various replies from me, i give explanation and screen shots for pretty much everything you need to do except for switch configuration, including client adapater settings.

 

Hope it helps

 

Neil

0 Kudos
timaz
Advisor

тАО11-27-2014 03:36 AM - edited тАО11-27-2014 03:39 AM

тАО11-27-2014 03:36 AM - edited тАО11-27-2014 03:39 AM

Re: dot1x authentication

Thanks for your reply. I will test it 4 sure. but for now I want to configure authentication just by the usernames and passwords with IMC local Authentication DB. for this I added the All Access User with relative Scenarios, Policies, etc and enabled the 802.1x on NIC of a client computer which runs Windows 8.1. the switch that I've connected the mentioned client computer is configured for dot1x and is ready to forward authentication requests to IMC. What can be done after this point? do I need to configure any certificate or enable any authentication protocol beyond what I've done up to now? tnx a lot.

0 Kudos
NeilR
Esteemed Contributor

тАО11-27-2014 09:18 PM

тАО11-27-2014 09:18 PM

Re: dot1x authentication

I think you still use peap eap and ms chap v2 but turn off use windows credentials in the adapter (unless they match?). The windows will pop up a user and password box where you enter the uam credential.

Otherwise try md5 instead of mschap

I'm not running that local option for windows users
0 Kudos
NeilR
Esteemed Contributor

тАО11-27-2014 09:23 PM

тАО11-27-2014 09:23 PM

Re: dot1x authentication

if you use windows credentials it sends domain\username, so I think for local user you need to turn it off
0 Kudos
timaz
Advisor

тАО11-28-2014 06:49 AM

тАО11-28-2014 06:49 AM

Re: dot1x authentication

"Automatically Use My Windows Login Name And Password" option is disabled on my computer. I just enabled the "Wired AutoConfig Service" in services console, then on the "Authentication" tab of the NIC Properties, selected the "Microsoft Protected EAP or PEAP" and clicked on the Additional Settings, then selected the "User Authentication" option. but after connecting the port to the switch, nothing happens and I cannot reach the network. what can I do?

0 Kudos
NeilR
Esteemed Contributor

тАО11-28-2014 02:38 PM

тАО11-28-2014 02:38 PM

Re: dot1x authentication

As I'm not using this way, im out of specific suggestions. The way I analyzed the setup was to use both the authentication error log under users and wire shark to observe the behavior and try different settings to understand it.

Sorry I can't help more without setting up a test network and doing the analysis.
0 Kudos
timaz
Advisor

тАО12-01-2014 04:08 AM

тАО12-01-2014 04:08 AM

Re: dot1x authentication

Hi; I did managed to configure parameters in such a way that no the Username and Password prompt appears while connecting client to the switch port. but despite the username and password are correct, athentication fails with the error message that indicates " Invalid Authentication Type" on IMC . I've configured authentication on IMC Server as following:

 

Certificate Authentication: EAP
Certificate Type: EAP-PEAP AuthN
Certificate Sub-Type: MS-CHAPV2 AuthN

 

but I 'm just using the username and password and did not setup any certificate on any system. the IMC sees the login attemp but it seems there are some misconfiguration about authentication methds. besides, I've activated the 802.1x on the client NIC and selected just the "User Authentication" with PEAP ans MS-CHAPv2. any idea?

0 Kudos
NeilR
Esteemed Contributor

тАО12-01-2014 04:54 PM

тАО12-01-2014 04:54 PM

Re: dot1x authentication

hmm. IMC side looks right.

 

Based on what you wrote, not sure how you are sending the UAM credentials from the windows client w/o the user & password prompt. Where/how did you configure that?

 

On the windows client, PEAP settings I would try unchecking validate server certificate, (if you have this checked I think it will try and use the cleint certificate which might explain the error)

 

then next to authentication method, secured password (eap-mschapv2), press configure button and uncheck send my windows credentials. 

 

This should prompt you on the client for a userid and password, which should be what you configured in UAM, not your windows ID/password. The client can't send them any other way as far as I know, unless you figured out some other method. 

 

 

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.