HPE Community
Switches, Hubs, and Modems
1823982 Members
3618 Online
109667 Solutions
New Discussion юеВ

Re: Radius login for 4104 with 2003 IAS

 
Miika T
Valued Contributor

тАО03-29-2005 04:57 PM

тАО03-29-2005 04:57 PM

Radius login for 4104 with 2003 IAS

I am trying to configure 4104 to authenticate with win server 2003 IAS, so I could login to switch management with windows accounts, not to implement port based authentication. Radius accounts fail to authenticate and IAS logs show that I try to use PAP method, instead of EAP. Any ideas if the problem is on IAS or 4104?

Event Type: Warning
Event Source: IAS
Event Category: None
Event ID: 2
Date: 30.3.2005
Time: 8:17:37
User: N/A
Computer: SRV
Description:
User INTRA\miika was denied access.
Fully-Qualified-User-Name = intra.foo.bar/users/Miika
NAS-IP-Address = 192.168.168.235
NAS-Identifier = HP ProCurve Switch 4104GL
Called-Station-Identifier =
Calling-Station-Identifier =
Client-Friendly-Name = procurve
Client-IP-Address = 192.168.168.235
NAS-Port-Type = Virtual
NAS-Port =
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server =
Policy-Name = Connections to other access servers
Authentication-Type = PAP
EAP-Type =
Reason-Code = 66
Reason = The user attempted to use an authentication method that is not enabled on the matching remote access policy.

0 Kudos
10 REPLIES 10
Kell van Daal
Respected Contributor

тАО03-29-2005 10:53 PM

тАО03-29-2005 10:53 PM

Re: Radius login for 4104 with 2003 IAS

The IAS server is saying that you don't have PAP enabled for the remote access policy, while the 4104 is using PAP.
To enable this:
- go to the properties of the remote access policy
- Click "edit profile"
- Click the "authentication" tab
- Check the "Unencrypted Authentication (PAP, SPAP) checkbox
- Click "Ok" twice

You should now be able to log in using your windows accounts (if the rest is configured correctly also ;))
0 Kudos
Miika T
Valued Contributor

тАО03-29-2005 11:27 PM

тАО03-29-2005 11:27 PM

Re: Radius login for 4104 with 2003 IAS

I've enabled PAP in IAS by checking the PAP. But I am uncertain, if AD policies will prevent the login attempts or not, if PAP sends the request unencrypted. I am pretty sure that the procurve side is ok, but should need to configure Routing and remote access server, or is IAS enough? Some documents also suggest that I should check the "store passwords using reversible encryption" in AD user manager.
0 Kudos
Kell van Daal
Respected Contributor

тАО03-29-2005 11:45 PM

тАО03-29-2005 11:45 PM

Re: Radius login for 4104 with 2003 IAS

Routing and Remote access is not needed for a working RADIUS solution, so you don't have to search there.
The user property of storing the password with reversible encryption is correct.
Do note that after checking that box you will have to reset the password to take actually effect.

Did you get another message after enabling chap? Because the message really implies it doesn't on the remote access policy. Maybe you have an access policy higher in the list that gets used?
0 Kudos
Miika T
Valued Contributor

тАО03-30-2005 02:34 AM

тАО03-30-2005 02:34 AM

Re: Radius login for 4104 with 2003 IAS

I deleted all other remote access policies and left only the one that I created for ad usergroup. This policy contains:

NAS-Port-Type matches "Ethernet" AND
Windows-Groups matches "INTRA\switch"

* Grant access permissions

Edit profile/Authentication, I've tried many possibilities (not the correct ones), checkin only PAP, CHAP, not checkin any.

After I got rid of the other policies, the event log changes slightly to this:

EAP-Type =
Reason-Code = 48
Reason = The connection attempt did not match any remote access policy.

To make sure, I am trying to login using DOMAIN\username syntax with the login session.

Procurve setup is like this:

HP ProCurve Switch 4104GL# show authentication

Status and Counters - Authentication Information

Login Attempts : 3

| Login Login Enable Enable
Access Task | Primary Secondary Primary Secondary
----------- + ---------- ---------- ---------- ----------
Console | Local None Local None
Telnet | Radius Local Radius Local
Port-Access | Local
SSH | Local None Local None


Status and Counters - General RADIUS Information

Deadtime(min) : 3
Timeout(secs) : 5
Retransmit Attempts : 3
Global Encryption Key :

Auth Acct
Server IP Addr Port Port Encryption Key
--------------- ----- ----- --------------------------------
192.168.168.4 1812 1813 testi
0 Kudos
Regnar Bang Lyngs├╕_2
Frequent Advisor

тАО04-05-2005 12:22 AM

тАО04-05-2005 12:22 AM

Re: Radius login for 4104 with 2003 IAS

From your former it seems that for logins the NAS-Port-Type is Virtual. Your policy matches only Ethernet. Remove the NAS-Port-Type from your policy or change it from Ethernet to Virtual.
0 Kudos
Iwan Bakar
New Member

тАО11-22-2006 12:19 AM

тАО11-22-2006 12:19 AM

Re: Radius login for 4104 with 2003 IAS

All setup guide that I've encountered seems very straight forward and easy to follow.
The only problem is when I tried to use authentication method other than PAP. Even when procurve authentication showing RadiusCHAP, you can only use PAP on the IAS.

Can any of the Procurve guru explain this? Seems to me for every single question about this never goes further than successful PAP authentication
0 Kudos
Iwan Bakar
New Member

тАО11-22-2006 10:42 PM

тАО11-22-2006 10:42 PM

Re: Radius login for 4104 with 2003 IAS

Wow, I did it.
Finally I got to use CHAP for authentication.
Actually I managed to do this last week but was not documented, and both server and switch were turned off on the weekend and has not work since.
This time I wrote down everything, rebooted both server and switch several time and tested successfully after each reboot (for stability and reliability measure)
If anyone interested I will post it here after I tidy up the documentation.
0 Kudos
Matt Hobbs
Honored Contributor

тАО11-30-2006 02:22 PM

тАО11-30-2006 02:22 PM

Re: Radius login for 4104 with 2003 IAS

Hi Iwan,

Do you mind posting your documentation on how you achieved this? I'm sure it will be helpful to others in the future.

Matt
0 Kudos
Jason Stroup
New Member

тАО03-02-2007 06:48 AM

тАО03-02-2007 06:48 AM

Re: Radius login for 4104 with 2003 IAS

Could you post your documentation on here?
0 Kudos
RickL
Frequent Advisor

тАО10-23-2008 08:55 AM

тАО10-23-2008 08:55 AM

Re: Radius login for 4104 with 2003 IAS

I'm trying to get radius authentication working for my switches. While I can get this working with PAP, I need to use some kind of encryption for usernames and passwords. I have been unable to get CHAP or any of the other encrypted authentication methods working using IAS on 2003.

I found this old thread where this exact problems claims to have been solved. However, I don't see the solution. Can someone that has this working post the solution?
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.