Deploying NAP 802.1x Enforcement w/ 3com 4500 or 5500
- Hi!
I try to get the 802.1x Step-by-Step Guide to work in my Test Lab. I followed the instructions and everythings seems to be OK as my switch (3Com 4500) gets RADIUS Accept-Access from NAP Server (the logs look good too). Unfortunaltey the switch sends an EAP-Failure message to the client and the port keeps down.
I know that this isn't a support forum for 3Com but I would really appreciate any help.
Here is my configuration (the client uses port 1/0/5):
====================================
4500>display current-configuration
#
private-group-id mode standard
#
local-server nas-ip 127.0.0.1 key 3com
#
domain default enable ams
#
igmp-snooping enable
#
dot1x
dot1x authentication-method eap
#
undo password-control aging enable
undo password-control length enable
password-control login-attempt 3 exceed lock-time 360
#
radius scheme system
radius scheme radius1
primary authentication 192.168.0.2
accounting optional
key authentication secret
timer response-timeout 5
retry 5
user-name-format without-domain
#
domain ams
scheme radius-scheme radius1
domain system
#
local-user admin
service-type ssh telnet terminal
level 3
local-user manager
service-type ssh telnet terminal
level 2
local-user monitor
service-type ssh telnet terminal
level 1
#
acl number 4999
rule 0 deny dest 0000-0000-0000 ffff-ffff-ffff
#
vlan 1
description DEFAULT_VLAN
igmp-snooping enable
#
vlan 2
description NONCOMPLIANT_VLAN
#
vlan 3
description COMPLIANT_VLAN
#
interface Vlan-interface1
ip address 192.168.0.3 255.255.255.0
#
interface Aux1/0/0
#
interface Ethernet1/0/1
stp edged-port enable
broadcast-suppression PPS 3000
priority trust
packet-filter inbound link-group 4999 rule 0
dot1x port-method portbased
[...]
interface Ethernet1/0/5
stp edged-port enable
broadcast-suppression PPS 3000
priority trust
packet-filter inbound link-group 4999 rule 0
dot1x port-method portbased
dot1x
[...]
interface GigabitEthernet1/0/25
dot1x port-method portbased
#
interface GigabitEthernet1/0/26
dot1x port-method portbased
#
interface GigabitEthernet1/0/27
shutdown
dot1x port-method portbased
#
interface GigabitEthernet1/0/28
shutdown
dot1x port-method portbased
#
sysname 4500
undo xrn-fabric authentication-mode
#
interface NULL0
#
snmp-agent
snmp-agent local-engineid 8000002B001AC12D89C06877
snmp-agent community read public
snmp-agent community write private
snmp-agent sys-info version all
#
user-interface aux 0 7
authentication-mode scheme
user-interface vty 0 4
authentication-mode scheme
====================================
Thanks in advance.
Wolfgang
Antworten
Generally, you will configure your switch to do 802.1x port-based authentication with EAP (Extensible Authentication Protocol), of which, PEAP is a specific EAP method. So configuring the switch to do EAP is usually the 'right thing' - the switch need not know the specific EAP method, only that it must perform as an EAP pass-through device to the RADIUS server (NPS, in this case).
That being said, I'm guessing that the switch is receiving some option value (attribute) that it does not understand within the Access-Accept.
The first thing I'd check is - on the RADIUS client entry on the NPS, is the 'client is NAP capable' box checked or unchecked? In the case of 802.1x PEAP-based NAP, this box should be unchecked, as the switch itself (the RADIUS client) does not, in fact, understand NAP. It does not need to, as the NAP specifics are hidden within the PEAP authentication.
After you verified that, if it still isn't working, I'd start removing options/attributes from the policy profile sent back in the Access-Accept (these are the items located on the Settings tab of an NPS Network Policy) and see if you can isolate which attribute is causing the switch to drop the transaction.
Please get back to us and let us know whether either of these investigations provides relief...
-Chris
Chris.Edson@online.microsoft.com *
SDET, Network Access Protection
* Remove the "online" make the address valid.
** This posting is provided "AS IS" with no warranties, and confers no rights.
- Als Antwort markiertGreg LindsayMSFT, BesitzerDonnerstag, 17. Juli 2008 15:33
Wolfgang -
I'm not familiar with those specific switch models - did you contact 3COM to come to this conclusion? Or was it from reviewing their documentation for those devices?
-Chris
Chris.Edson@online.microsoft.com *
SDET, Network Access Protection
* Remove the "online" make the address valid.
** This posting is provided "AS IS" with no warranties, and confers no rights.
- Als Antwort markiertGreg LindsayMSFT, BesitzerDonnerstag, 17. Juli 2008 15:33
Alle Antworten
- Hi!
Some additional information:
I configured 802.1x authentication mode to EAP (see configuration above, as I would like to have PEAP).
=========================================================
[4500]dot1x authentication-method ?
chap CHAP(Challenge Handshake Authentication Protocol) authentication
method.It's default.
eap EAP(Extensible Authentication Protocol) authentication method(support
eap-tls, eap-md5, peap, eap-ttls)
pap PAP(Password Authentication Protocol) authentication method
=========================================================
I have no chance to directly set PEAP option, the switch says it uses EAP-MD5:
=========================================================
[4500]display dot1x int e 1/0/5
Equipment 802.1X protocol is enabled
EAP MD5-Challenge authentication is enabled
DHCP-launch is disabled
Proxy trap checker is disabled
Proxy logoff checker is disabled
=========================================================
In debug mode one can see that the switch gets the RADIUS Access-Accept but it fails to send EAPoL-Success:
=========================================================
*0.152874829 4500 8021X/8/EVENT:- 1 -Port:4,Auth:397,Resource exists.
*0.152874830 4500 8021X/8/EVENT:- 1 -Port:4,Auth:397,Sent EAP Msg to 1X-Queue.
*0.152874920 4500 8021X/8/EVENT:- 1 -Auth:397,Msg: EAP MD5-Challenge.
*0.152875526 4500 8021X/8/EVENT:- 1 -Auth:397,Msg: Auth request ack for succeed,
ACM->1X.
*0.152875528 4500 8021X/8/EVENT:- 1 -Auth:397,Processing node SUCCESS...
*0.152875529 4500 8021X/8/EVENT:- 1 -Auth:397,Sending EAPoL-Success...
*0.152875530 4500 8021X/8/EVENT:- 1 -Auth:397,Failed to send EAPoL-Notification.
..
*0.152875531 4500 8021X/8/EVENT:- 1 -Auth:397,Processing node WORKING...
=========================================================
I do not have an explanation for this. Does anyone have a hint for me?
Thanks in advance.
Wolfgang Generally, you will configure your switch to do 802.1x port-based authentication with EAP (Extensible Authentication Protocol), of which, PEAP is a specific EAP method. So configuring the switch to do EAP is usually the 'right thing' - the switch need not know the specific EAP method, only that it must perform as an EAP pass-through device to the RADIUS server (NPS, in this case).
That being said, I'm guessing that the switch is receiving some option value (attribute) that it does not understand within the Access-Accept.
The first thing I'd check is - on the RADIUS client entry on the NPS, is the 'client is NAP capable' box checked or unchecked? In the case of 802.1x PEAP-based NAP, this box should be unchecked, as the switch itself (the RADIUS client) does not, in fact, understand NAP. It does not need to, as the NAP specifics are hidden within the PEAP authentication.
After you verified that, if it still isn't working, I'd start removing options/attributes from the policy profile sent back in the Access-Accept (these are the items located on the Settings tab of an NPS Network Policy) and see if you can isolate which attribute is causing the switch to drop the transaction.
Please get back to us and let us know whether either of these investigations provides relief...
-Chris
Chris.Edson@online.microsoft.com *
SDET, Network Access Protection
* Remove the "online" make the address valid.
** This posting is provided "AS IS" with no warranties, and confers no rights.
- Als Antwort markiertGreg LindsayMSFT, BesitzerDonnerstag, 17. Juli 2008 15:33
- Hi!
Thanks for your time.
First to your post:
1) Yes, the box is unchecked.
2) I disabled all policies and made a new one whichs grants access to all clients without restrictions. Unfortunatley I get the same behavior.
Though I have some new information:
The switch does not fail to send EAP-Success, it fails to send EAP notification (I do not know if this is a problem).
The client is authenticated after getting EAP-Success and is in the right vlan (status of lan connection is activated). The switch sends handshake messages (Identity Request) within a defined period (15 seconds), the client answeres with Identitiy-Response. This is correct behavoir, BUT the status of the lan connections changes here! (it says that it tries to authenticate again). After about 100 seconds the client does not send Identitiy Response any more, and the switch sends EAP-Failure.
I do not get valuable information from switch debugging. The client does not send the responses any more and so the switch sends EAP-Logoff.
Do you have an idea for my problem?
Thanks in advance!
Wolfgang
edit: I also tried an 3com 5500 switch - no difference
. - And some more information:
As is already said, the switch fails to send EAP-Notification. I guess this is the problem here. After EAP-Success and the first Request-Identity message, the client thinks he is not authenticated and sends EAPoL-Start again.
Are the 3com switches not compatible with Microsoft 802.1x implementation (I also tried 802.1x NAP Enforcement with Windows XP)?
Best regards,
Wolfgang - Hi!
Final conclusion:
It is not possible for me to to deploy NAP 802.1x Enforcement with 3Com 4500 or 5500 switch family. Today I tried an Cisco Catalyst 3550 and my testlab works perfectly.
Best regards,
Wolfgang Wolfgang -
I'm not familiar with those specific switch models - did you contact 3COM to come to this conclusion? Or was it from reviewing their documentation for those devices?
-Chris
Chris.Edson@online.microsoft.com *
SDET, Network Access Protection
* Remove the "online" make the address valid.
** This posting is provided "AS IS" with no warranties, and confers no rights.
- Als Antwort markiertGreg LindsayMSFT, BesitzerDonnerstag, 17. Juli 2008 15:33
- I wouldnt rule out the 3COM one working. I notice you had CHAP enabled. You cannot use CHAP or PAP as this is non-compliant with PEAP. It has to be EAP. Also make sure youre using RC1 code as it fixed a policy processing issue.
Hi,
I'm starting a LAB to test 802.1x enforcement with NAP using 3Com 4500 switchs (our network is 3Com...).
Do you know if these problems are solved?
I will face the same problems soon in next few days, and it's one important information.
Regards
PCS
Hi,
I'm having the same problem, and I've got the following error messages:
Code Snippet*0.48853233 SW02 8021X/8/EVENT:- 1 -Auth:15,End pocessing challenge action...
*0.48853318 SW02 8021X/8/EVENT:- 1 -Auth:15,Msg:Indentity, Supplciant->Authenticator.
*0.48853418 SW02 8021X/8/EVENT:- 1 -Auth:15,Processing challenge trans...
*0.48853510 SW02 8021X/8/EVENT:- 1 -Auth:15,End processing challenge trans...
*0.48853600 SW02 8021X/8/PACKET:- 1 -Port:42,Received a EAPOL packet.
*0.48853667 SW02 8021X/8/PACKET:- 1 -Port:42,NOT a Eapol-start.
*0.48853750 SW02 8021X/8/PACKET:- 1 -Port:42,Auth:0,PacketType: EAPOL-PACKET.
*0.48853833 SW02 8021X/8/PACKET:- 1 -Port:42,Auth:0,EAP Type: Response.
*0.48853918 SW02 8021X/8/EVENT:- 1 -Port:42,Auth:15,Resource exists.
*0.48853983 SW02 8021X/8/PACKET:- 1 -Port:42,Auth:15,Code Type: Nak.
*0.48854077 SW02 8021X/8/EVENT:- 1 -Port:42,Auth:15,Send Msg to 802.1X-Msg-Queue successfully.
*0.48854183 SW02 8021X/8/PACKET:- 1 -Port:42,End processing the packet received.
Does anyone have solved these problems?
Regards,
Andre
- I realise this is a bit late, but I've been working on getting this working with some Huawei switches, and I've got a couple of notes. Maybe some of it will help others.
Firstly regards the last comment from Andre:
I got those logs "0.48853983 SW02 8021X/8/PACKET:- 1 -Port:42,Auth:15,Code Type: Nak" when I didn't have the:
dot1x authentication-method eap
line added to my config. From looking at traffic captures, I realised it was trying to do MD5 auth, but the client was responding with Nak, desired method PEAP.
I was then having the same problem with clients successfully authenticating, then being kicked off a minute later. This seemed to be related to the 15s handshake that occurs. The client wasn't responding properly to it. Adding the line "undo dot1x handshake enable" stopped the switch from sending the handshake, which then meant the client stayed authenticated. This is not ideal though - I'm not quite sure how to get the handshake to work properly here.
I've also found that you can't disable the handshake on some VRP versions - e.g 1510P02. You can disable it on 1602P08.
I also had some issues with dynamic VLANs, until adding "vlan-assignment-mode string" under the domain config.
I'll try out a few more things, see if I can work out why the handshake doesn't work - unless anyone else out there has some bright ideas?
- I've just been doing a few traffic captures, with handshaking enabled, and I've found this:
The client sends a start message, and the switch sends a request/identity. They then go through exchanging data with TLSv1, before the switch sends a Success message.
At that point the icon on my system (XP SP3) tray says that the connection succeeded. 15s later (the default handshake timer interval) the switch sends a "Request, Identity" message, which my laptop responds to with a "Response, Identity message." At this point my network icon starts saying that it is trying to authenticate - it's like it thinks that the authentication process is starting again. I think that it then expects to see a "Request, PEAP" packet.
Instead, 15s later, it receives another "Request, Identity" message, which it responds to again. That process repeats 4 times. Then, 90s after the original Success message, my laptop stops responding to the "Request, Identity" handshake messages. At this point the network icon on my laptop says that Authentication failed.
After the switch has sent two requests out, waited 15s for each of them, and had no response, it decides that the client has disconnected, and sends a Failure message. It sends two Request/Identity messages every 30s, but my laptop no longer responds to any of them.
Anyone have any ideas on how to either disable the handshaking, or configure the client to respond properly?
- Yet one more thing:
In my Event Viewer logs, I'm seeing this every 15s, for a short while after the initial authentication succeeded message:
Event Type: Information
Event Source: Dot3Svc
Event Category: None
Event ID: 15504
Date: 18/08/2008
Time: 6:21:43 p.m.
User: N/A
Computer: LAPTOP
Description:
Wired 802.1X Authentication was restarted.
Network Adapter: Broadcom NetLink (TM) Gigabit Ethernet - Packet Scheduler Miniport
Interface GUID: {cdae258b-d1db-41fa-a385-876f3f982bfe}
Connection ID: 0x00000005
Restart Reason: Peer Initiated
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
So the laptop thinks that authentication is being restarted every time it sees that handshake come in from the switch.
It is later followed by this message:
Event Type: Information
Event Source: Dot3Svc
Event Category: None
Event ID: 15506
Date: 18/08/2008
Time: 6:22:13 p.m.
User: N/A
Computer: LAPTOP
Description:
Network authentication attempts have been temporarily suspended on this network adapter.
Network Adapter: Broadcom NetLink (TM) Gigabit Ethernet - Packet Scheduler Miniport
Interface GUID: cdae258b-d1db-41fa-a385-876f3f982bfe
Reason Code: 458756
Length of block timer (seconds): 1200
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
- Hey all,We have NAP working with 3COM 5500/4500 switches.Relevant commands from our configuration are:domain default enable domainnameport-security enable
port-security timer guest-vlan-reauth 600dot1x authentication-method eapundo dot1x handshake enable
MAC-authentication timer offline-detect 65535
MAC-authentication timer guest-vlan-reauth 300
MAC-authentication domain schemename
MAC-authentication authmode usernamefixed
MAC-authentication authusername username
MAC-authentication authpassword password
radius scheme schemenameserver-type extendedprimary authentication 10.0.0.1secondary authentication 10.0.0.2accounting optionalkey authentication passworduser-name-format without-domainnas-ip 10.0.0.3calling-station-id mode mode2 uppercasedomain domainnamescheme radius-scheme schemenamevlan-assignment-mode string
interface Ethernet1/0/1
stp edged-port enable
port link-type hybrid
port hybrid vlan 2 untagged
undo port hybrid vlan 1
port hybrid pvid vlan 2
broadcast-suppression pps 3000
undo jumboframe enable
port-security max-mac-count 1
port-security port-mode userlogin-secure-or-mac
port-security guest-vlan 2
dot1x max-user 1
Make sure you're running 3.3.2p05 or later to prevent constant reauthentication with Windows supplicants.
Cheers,Nick - northlandboy,
The issue you're having has been fixed in 3.3.2p05 or later.
Cheers,
Nick - Sorry for digging/reviving an old post, but is there away of reducing the 1200 second block timer? We're having problems with Broadcom cards and 802.1x here at Hawaii Pacific University. It seems that these cards when they first power up send blank credentials to the switches then go into disabled/block mode for 20 minutes. This is causing our users much pains in the mornings as they can have their logins delayed by up to 30 minutes.Ricky LiNetwork EngineerHawaii Pacific University
- Thanks greg
- Northlandboy, I'm having the same problem. Did you get this resolved? I tried "undo dot1x handshake enable" but it didn't seem to make a difference in my results.
Same/Similar issue here.
Mike Crowley A+, Network+, Security+, MCT, MCSE, MCTS, MCITP: Enterprise Administrator / Messaging Administrator
Read my 2¢ on the Psychology of a TechNet Forum Thread!- BearbeitetMike Crowley Dienstag, 4. August 2009 22:16
- BearbeitetMike Crowley Dienstag, 4. August 2009 22:16
My config had each the following for each interface:
interface Ethernet1/0/1
poe enable
stp edged-port enable
broadcast-suppression pps 3000
port-security port-mode userlogin-withoui
packet-filter inbound link-group 4999 rule 0
This is the config I want (I have phones and PC on each port) but it seems like the endless reauth cycle goes away when I change port-mode from userlogin-withoui to userlogin.
Obviously not out of the woods yet, but I figured I'd post this update.
Mike Crowley A+, Network+, Security+, MCT, MCSE, MCTS, MCITP: Enterprise Administrator / Messaging Administrator
Read my 2¢ on the Psychology of a TechNet Forum Thread!Mike,
The "dot1x dhcp-launch" command fixed my problem. Have you configured it?
HTH,
Nitass- I saw that command but was not sure of its purpose. I'll give it a try though, at this point any suggestions are welcome!
Mike Crowley A+, Network+, Security+, MCT, MCSE, MCTS, MCITP: Enterprise Administrator / Messaging Administrator
Read my 2¢ on the Psychology of a TechNet Forum Thread! As a follow-up, my problem seemed to be related to the use of the port-security port-mode userlogin-withoui command on the 3com switch.
What I really want to happen is:
1. Phones get put in vlan 2 based on OUI
2. Computers, which are plugged into phones get placed in vlan 3 based on 802.1x
3. Stuff that doesn’t pass first two methods gets placed in guest vlan 4
I would think this is a simple request, but apparently it can’t be accomplished with 3com gear.
Mike Crowley A+, Network+, Security+, MCT, MCSE, MCTS, MCITP: Enterprise Administrator / Messaging Administrator
Read my 2¢ on the Psychology of a TechNet Forum Thread!- Hi,
Try the latest firmware for the 4500, s3n03_03_02p05 or newer to resolve the constant authentication issue.
"LSOD09204
First Found-in Version: V3.03.02p03
Condition: Connect PC to port A. Configure port-security on port A (the port-mode is mac-and-userlogin-secure, userlogin-secure-or-mac, mac-else-userlogin-secure, userlogin-secure or userlogin-withoui). Do 802.1X authentication with windows XP client on PC.
Description: After log-in, windows XP client does re-authentication frequently."
Cheers,
Nick - 3.3.2p05 is now available for the 4500, 5500-SI / 5500-EI and 5500G-EI.
