HPE Community
Web and Unmanaged
1819814 Members
2694 Online
109607 Solutions
New Discussion юеВ

How to delay the mac-based authentication

 
difan
Occasional Contributor

тАО01-15-2017 07:39 PM - edited тАО01-15-2017 07:59 PM

тАО01-15-2017 07:39 PM - edited тАО01-15-2017 07:59 PM

How to delay the mac-based authentication

I want to configure ports for 802.1x authentication with MAC based authentication as fallback. My problem is that, as soon as I plug in my laptop, the switch will use my MAC address for authentication, without giving me a chance to put in username and password on my laptop (Win7 pro) for PEAP.

My laptop is configured to prompt for username and password.. I can still put in the username and password in the popup balloon. Once provided, the switch will still do the 802.1x. However it will fail the first MAC authentication, and the laptop will be put in a wrong VLAN, with the wrong IP, before the followed 802.1x to correct the vlan and IP. 

Is there anyway to delay the MAC auth? For example, always wait for 10 seconds before trying to use MAC for authentication. I am able to tune the timers on Cisco switches. 

I have tried a few timers but none helped my case. Here is my config. Thanks!

 

radius-server host a.b.c.d key "xxx" acct-port 1813 auth-port 1812
aaa server-group radius "1X" host a.b.c.d
aaa accounting network start-stop radius server-group 1X
aaa authentication port-access eap-radius server-group 1X
aaa authentication mac-based chap-radius server-group 1X
aaa port-access authenticator 23
aaa port-access authenticator 23 client-limit 2
aaa port-access authenticator active
aaa port-access mac-based 23
aaa port-access mac-based 23 unauth-vid 1050

 Forgot to mention that my swith is HP J9727A 2920-24G-PoE+ with WB.16.02.0014

2 people had this problem.
0 Kudos
2 REPLIES 2
difan
Occasional Contributor

тАО01-16-2017 08:51 PM

тАО01-16-2017 08:51 PM

Re: How to delay the mac-based authentication

Anybody know?

0 Kudos
BobKC
New Member

тАО11-06-2018 02:00 AM - edited тАО11-06-2018 02:00 AM

тАО11-06-2018 02:00 AM - edited тАО11-06-2018 02:00 AM

Re: How to delay the mac-based authentication

Nope, I have the same issue and haven't found the answer yet.

The FreeRADIUS wiki page on HP does have an interesting comment that although MAC Auth and 802.1x proceeds simultaneously, the result of the 802.1x will always take precedence. So as long as you refrain from setting different VLANs for each method (which would probably cause DHCP issues - the client would take an address from one VLAN then get switched to another) it should not be an issue.

That said it would be nice to have a proper solution given that Cisco and even HP Comware support a timeout, and ProCurve has so many other timers we can configure just not this one! 

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.