1827612
Members
2970
Online
109966
Solutions
Hi Galand,
The aaa authentication command is used when configuring access to the actual switch. So, you could configure a local username and password scheme and use those when using console/telnet/web access to the management interface of the switch. You can also configure the authentication method to use a Radius server, which would verify logons to the management interface against Radius.
In order to authenicate users via port-based authentication, Cenk is correct that you would need to implement a Radius server.
The aaa authentication command is used when configuring access to the actual switch. So, you could configure a local username and password scheme and use those when using console/telnet/web access to the management interface of the switch. You can also configure the authentication method to use a Radius server, which would verify logons to the management interface against Radius.
In order to authenicate users via port-based authentication, Cenk is correct that you would need to implement a Radius server.
Hi Galand,
I did some more investigating, and it looks like you can use the local switch username/password scheme as a valid authentication scheme for clients. I will try and set this up on a test switch and see if I can get it working.
Regards,
Jarret
I did some more investigating, and it looks like you can use the local switch username/password scheme as a valid authentication scheme for clients. I will try and set this up on a test switch and see if I can get it working.
Regards,
Jarret
Hi Galand,
I updated a 2650 to H.10.50 software and tested. So far, I am running into authentication failures as well, but am still playing with it.
I also tested using a 5406, which has a slightly different syntax for entering the passwords for local radius. However, looking at the documentation for the 2600's and the 5400's, it does indicate the local switch passwords can be used in lieu of an external radius server.
I'll try and do some more testing today as I feel we are just missing one small piece...
Regards,
Jarret
I updated a 2650 to H.10.50 software and tested. So far, I am running into authentication failures as well, but am still playing with it.
I also tested using a 5406, which has a slightly different syntax for entering the passwords for local radius. However, looking at the documentation for the 2600's and the 5400's, it does indicate the local switch passwords can be used in lieu of an external radius server.
I'll try and do some more testing today as I feel we are just missing one small piece...
Regards,
Jarret
Hi Galand,
I did some more testing this morning. I set up a packet capture using Wireshark on my laptop and configured port 10 on my 2650 as the authenticator port. I also changed my NIC authentication for an EAP type of MD5-Challenge.
Watching the packet capture, I see the following:
1. EAPOL start
2. Identity request from the switch
3. Identity request from my laptop containing the password I entered for authentication
4. Request MD5-Challenge from the switch
5. Response MD5-Challenge from my laptop
6. EAP Success
On the switch, I checked the show port-access authenticator and my port 10 has changed from a status of closed, to a status of open once the EAP Success message was seen in the packet capture.
However, my NIC is still reporting it is "attempting to authenticate". Watching the packet capture for several minutes, the EAP process would run over and over with the same results as above each time.
It looks like using MD5-Challenge, I am getting successfully authenticated and the switch port opens as expected, but something seems to be broken since the NIC never moves into a connected state.
It might be worth opening up a ticket with ProCurve support. My thoughts are that either this is broken, or if it is not an option, then the documentation needs further clarification.
On a sidenote, I checked the documentation of the 5400 series ProCurve, and it also mentions this as an option. The only difference is that instead of using the operator username/password, you actually use a command of password port-access to configure a unique username/password scheme for local port-access.
I did some more testing this morning. I set up a packet capture using Wireshark on my laptop and configured port 10 on my 2650 as the authenticator port. I also changed my NIC authentication for an EAP type of MD5-Challenge.
Watching the packet capture, I see the following:
1. EAPOL start
2. Identity request from the switch
3. Identity request from my laptop containing the password I entered for authentication
4. Request MD5-Challenge from the switch
5. Response MD5-Challenge from my laptop
6. EAP Success
On the switch, I checked the show port-access authenticator and my port 10 has changed from a status of closed, to a status of open once the EAP Success message was seen in the packet capture.
However, my NIC is still reporting it is "attempting to authenticate". Watching the packet capture for several minutes, the EAP process would run over and over with the same results as above each time.
It looks like using MD5-Challenge, I am getting successfully authenticated and the switch port opens as expected, but something seems to be broken since the NIC never moves into a connected state.
It might be worth opening up a ticket with ProCurve support. My thoughts are that either this is broken, or if it is not an option, then the documentation needs further clarification.
On a sidenote, I checked the documentation of the 5400 series ProCurve, and it also mentions this as an option. The only difference is that instead of using the operator username/password, you actually use a command of password port-access to configure a unique username/password scheme for local port-access.
Hi Galand,
Another thought:
I am not sure of your ultimate goal using the port-access with local authentication from the switch, but have you looked at the port-security function as a possible option?
Using port-security, it looks like you can locally define up to eight MAC addresses per port that are authorized to connect. Perhaps this would provide the port-based security without the need for adding a Radius server.
Regards,
Jarret
Another thought:
I am not sure of your ultimate goal using the port-access with local authentication from the switch, but have you looked at the port-security function as a possible option?
Using port-security, it looks like you can locally define up to eight MAC addresses per port that are authorized to connect. Perhaps this would provide the port-based security without the need for adding a Radius server.
Regards,
Jarret