HPE Community
Switches, Hubs, and Modems
1752793 Members
6179 Online
108789 Solutions
New Discussion юеВ

802.1x and port-access mac-based config CHAP v2 question

 
SOLVED
Go to solution
jmglass
Occasional Advisor

тАО05-04-2011 10:49 AM

тАО05-04-2011 10:49 AM

802.1x and port-access mac-based config CHAP v2 question


Greetings and thanks for any/all feedback!

Need to support non 802.1x clients such as games systems. Using port-access with MAC authentication on ProCurve switches and I am logging on my Radius server for these non 802.1x clients:

Handshake Authentication Protocol (CHAP).
A reversibly encrypted password does not exist for this user account.
To ensure that reversibly encrypted passwords are enabled,
check either the domain password policy or the password settings on the user account.

Any support for CHAP v2 when the mac-based is used on the following switches?
HP2848, J4904A revision I.10.82
HP2810, J49022A revision N.11.25
HP2910al, J9147A revision W.14.49

Do not want to change active directory to enable storage of a reversibly encrypted form of the password just for support of gaming systems.

Clients using 802.1x get on OK. If client not currently 802.1x capable but able to support, client pushed to registration VLAN 2999 were they will be able to download and configure 802.1x configuration.

~Snip of current config, a MAC authentication client fails on the CHAP login.


; J9022A Configuration Editor; Created on release #N.11.25
hostname "bf1test01"
snmp-server contact "Resnet"
snmp-server location "BF1 "
mac-age-time 7200
time timezone -300
time daylight-time-rule Continental-US-and-Canada
no cdp run
console inactivity-timer 30
ip default-gateway X.X.X.X
sntp server
timesync sntp
sntp unicast
snmp-server host X.X.X.X
vlan 1
name "DEFAULT_VLAN"
untagged 48
ip address X.X.X.X Y.Y.Y.Y
no untagged 1-47
exit
vlan 232
name "BF1_VLAN"
untagged 1-47
no ip address
tagged 48
ip igmp
exit
vlan 2999
name "Quar_VLAN"
no ip address
tagged 48
exit
no lldp run
aaa authentication port-access eap-radius
radius-server host X.X.X.X
aaa port-access authenticator 1-12
aaa port-access authenticator 1 auth-vid 232
aaa port-access authenticator 1 client-limit 1
aaa port-access authenticator 2 auth-vid 232
aaa port-access authenticator 2 client-limit 1
aaa port-access authenticator 3 auth-vid 232
aaa port-access authenticator 3 client-limit 1
aaa port-access authenticator 4 auth-vid 232
aaa port-access authenticator 4 client-limit 1
aaa port-access authenticator 5 auth-vid 232
aaa port-access authenticator 5 client-limit 1
aaa port-access authenticator 6 auth-vid 232
aaa port-access authenticator 6 client-limit 1
aaa port-access authenticator 7 auth-vid 232
aaa port-access authenticator 7 client-limit 1
aaa port-access authenticator 8 auth-vid 232
aaa port-access authenticator 8 client-limit 1
aaa port-access authenticator 9 auth-vid 232
aaa port-access authenticator 9 client-limit 1
aaa port-access authenticator 10 auth-vid 232
aaa port-access authenticator 10 client-limit 1
aaa port-access authenticator 11 auth-vid 232
aaa port-access authenticator 11 client-limit 1
aaa port-access authenticator 12 auth-vid 232
aaa port-access authenticator 12 client-limit 1
aaa port-access authenticator active
aaa port-access mac-based 1-12
aaa port-access mac-based 1 unauth-vid 2999
aaa port-access mac-based 2 unauth-vid 2999
aaa port-access mac-based 3 unauth-vid 2999
aaa port-access mac-based 4 unauth-vid 2999
aaa port-access mac-based 5 unauth-vid 2999
aaa port-access mac-based 6 unauth-vid 2999
aaa port-access mac-based 7 unauth-vid 2999
aaa port-access mac-based 8 unauth-vid 2999
aaa port-access mac-based 9 unauth-vid 2999
aaa port-access mac-based 10 unauth-vid 2999
aaa port-access mac-based 11 unauth-vid 2999
aaa port-access mac-based 12 unauth-vid 2999
password manager
password operator


thanks!
jim
0 Kudos
2 REPLIES 2
Jens Egger
Occasional Advisor

тАО05-05-2011 08:03 AM

тАО05-05-2011 08:03 AM

Solution

Re: 802.1x and port-access mac-based config CHAP v2 question

Hi Jim,

as fair as I know MS-Chap V2 is only supported on ProVision Devices like 3500/5400/8200. You may build a new trusted tree in the AD-Forrest with its own Group Policy and Radius-Server as a workaround and put the MACs in there.

Cheers


Jens
jmglass
Occasional Advisor

тАО05-11-2011 02:28 AM

тАО05-11-2011 02:28 AM

Re: 802.1x and port-access mac-based config CHAP v2 question

Thanks Jens!

jim
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.