locked
NAP with 2 HP procurve switches, the one on edge works as supplicant RRS feed

  • Question

  • Hello,

    I have trouble setting up test lab where switch HP procurve 2650 on network edge works as supplicant and passes throught all authentication to next switch HP procurve 2610 with is 802.1x aware, which then authentificates user in windows 2008 NPS.

    I know that procurve 2650 supports 802.1x I just want to test scenario where switch does not support 802.1x.

    My config:

    switch 2650 not 802.1x aware works as supplicant.

    ip default-gateway 192.168.1.1
    ip routing
    snmp-server community "public" Unrestricted
    vlan 1
       name "Management"
       untagged 1-10,25-50
       ip address 192.168.1.3 255.255.255.0
       no untagged 11-24
       exit
    vlan 4
       name "Noncompliant"
       untagged 11-24
       ip address 40.0.0.3 255.255.255.0
       ip helper-address 192.168.1.97
       tagged 7
       exit
    vlan 2
       name "Guest"
       ip address 20.0.0.3 255.255.255.0
       ip helper-address 192.168.1.97
       tagged 7
       exit
    vlan 3
       name "Compliant"
       ip address 30.0.0.3 255.255.255.0
       ip helper-address 192.168.1.97
       tagged 7
       exit
    aaa authentication port-access eap-radius
    radius-server host 192.168.1.97
    aaa port-access authenticator 25
    aaa port-access authenticator 25 unauth-vid 2
    aaa port-access supplicant 11,13-24
    aaa port-access supplicant 11 identity "000000270880" <- MAC address of switch used to authentificate it in RADIUS
    aaa port-access supplicant 13 identity "000000270880"
    password manager

    switch 2610 802.1x aware works as authenticator.

    hostname "ProCurve Switch 2610-48" 
    mirror-port 47 
    ip default-gateway 192.168.1.1 
    ip routing 
    vlan 1 
       name "Management" 
       untagged 1-12,25-52 
       ip address 192.168.1.2 255.255.255.0 
       no untagged 13-24 
       ip igmp 
       exit 
    vlan 2 
       name "Guest" 
       ip address 20.0.0.2 255.255.255.0 
       ip helper-address 192.168.1.97 
       tagged 7 
       exit 
    vlan 3 
       name "Compliant" 
       ip address 30.0.0.2 255.255.255.0 
       ip helper-address 192.168.1.97 
       tagged 7 
       exit 
    vlan 4 
       name "Non-compliant" 
       untagged 13-24 
       ip address 40.0.0.2 255.255.255.0 
       ip helper-address 192.168.1.97 
       tagged 7 
       exit 
    interface 7,19 
       monitor 
       exit 
    radius-server dead-time 1 
    radius-server timeout 3 
    radius-server retransmit 2 
    radius-server host 192.168.1.97 
    aaa authentication num-attempts 10 
    aaa authentication port-access eap-radius 
    aaa accounting update periodic 15 
    aaa accounting network start-stop radius 
    aaa accounting exec start-stop radius 
    aaa accounting system start-stop radius 
    primary-vlan 4 
    aaa port-access authenticator 13-14
    aaa port-access authenticator 13 server-timeout 5
    aaa port-access authenticator 13 unauth-vid 2
    aaa port-access authenticator 14 server-timeout 5
    aaa port-access authenticator 14 unauth-vid 2
    aaa port-access authenticator active
    aaa port-access mac-based 19 unauth-vid 2
    password manager

    Problem

    I managed to authentificate switch to NPS by creating user in AD with MAC address as user name and password but when I am authentificated I recieve only information about one VLAN ID which one id the first entered in attributes Tunnel-Pvt-Group-ID. And when I plug in user machine in edge switch I am placed only on VLAN 4. User can authenticated and still is placed in VLAN 4 should be VLAN 3. Also I manged to authentificate switch only when I manualy edited registry to ad MD5 authentication mechanism.

    I am not sure if I have configured correctly, maybe someone can help me undestand whats wrong and how it should be configured.

    would post pictures of NPS config for switch rule but not allowed to post pictures

    Thanks in advance




    • Edited by zvondr Friday, June 1, 2012 11:34 AM
    Friday, June 1, 2012 11:32 AM

Answers

  • Hi,

    Have been testing, changing radius address to other switch IP did not work.

    So far from tests I did I concluded that if port on edge switch 2650 that I want to use as trunk for passing all information about vlans is configured as supplicant cant be also configured for authentication. So when I removed port authentication on that port everything worked. Now if I configure some ports of using 802.1x I am able to authentificate using NPS radius and placed in correct vlan.

    Thursday, June 7, 2012 8:13 AM
  • Is this working as you wish now or are there still problems?

    • Marked as answer by zvondr Tuesday, June 12, 2012 8:02 AM
    Thursday, June 7, 2012 4:08 PM

All replies

  • Hi,

    I haven't tried to forward authentication requests to a second switch like this, but I'm reasonably sure you should not have the NPS configured as a RADIUS server if you want that kind of setup. The 2650 doesn't need to know that NPS exists at all. It only needs to know about the 2610. You can try setting radius-server host on the 2650 to the IP address of the 2610, but since I haven't tried this I can't guarantee it will work. You might need to find some vendor documentation about how to set up a pass through.

    -Greg

    Sunday, June 3, 2012 5:26 AM
  • Hi,

    Have been testing, changing radius address to other switch IP did not work.

    So far from tests I did I concluded that if port on edge switch 2650 that I want to use as trunk for passing all information about vlans is configured as supplicant cant be also configured for authentication. So when I removed port authentication on that port everything worked. Now if I configure some ports of using 802.1x I am able to authentificate using NPS radius and placed in correct vlan.

    Thursday, June 7, 2012 8:13 AM
  • Is this working as you wish now or are there still problems?

    • Marked as answer by zvondr Tuesday, June 12, 2012 8:02 AM
    Thursday, June 7, 2012 4:08 PM
  • Works as I wanted, so no problwem with solution.

    Maybe have any experiece with adding non 802.1x aware HP switch 4250tn to authentificate with NPS? this probobly needs to be posted in different area.

    Tuesday, June 12, 2012 8:05 AM
  • Hi Zvondr

    It's possible to know the solution you found to resolve the problem? I have the same problem, would you help me, please?

    Wednesday, September 19, 2012 7:15 AM