locked
NAP 802.1x Step-by-Step Guide with 3com 4500 Switch RRS feed

  • Question

  • Hello,

    I try to get the 802.1x Step-by-Step Guide to work in my Test Lab. I have a 3com 4500 26-port switch with the software release s3n03_03_02s168p06 on it.
    I read trough all the posts in this and other forums but I don't get it to work.

    The main problem is that I get not a single entry in the event log of the NAP policy Server under Customviews -> Server Roles -> Network Policy and Access Server

    • I did the "auditpol /set /subcategory:"Network Policy Server" /success:enable /failure:enable" command

    In the Logfile created under "%winroot%\Windows\System32\Logfiles" I can see a "IAS_AUTH_FAILURE".

    Start DateTime;User Name;Stop DateTime;Duration;User IP;Output Octets;Input Octets;Connect Request;Connect Result
    05/06/2010 13:23:58;MATINTRA\mat;05/06/2010 13:23:58;00:00:00;;0;0;;Unknown
    05/06/2010 13:23:58;MATINTRA\mat;05/06/2010 13:23:58;00:00:00;;0;0;;Unknown
    05/06/2010 13:23:58;MATINTRA\mat;05/06/2010 13:23:58;00:00:00;;0;0;;Unknown
    05/06/2010 13:23:58;MATINTRA\mat;05/06/2010 13:23:58;00:00:00;;0;0;;Unknown
    05/06/2010 13:23:59;MATINTRA\mat;05/06/2010 13:23:59;00:00:00;;0;0;IAS_AUTH_FAILURE;Rejected

    That's all I can see. I would really appreciate any help. Thanks a lot...

    This is my configuration of the switch. The client uses port 1/0/1:

    ################################################
    #
     sysname 4500
    #
     undo password-control aging enable
     undo password-control length enable
     undo password-control history enable
     password-control login-attempt 3 exceed lock-time 120
    #
     local-server nas-ip 127.0.0.1 key 3com
    #
     domain default enable matintra.local
    #
     igmp-snooping enable
    #
     port-security enable
     port-security timer guest-vlan-reauth 600
     port-security oui 00e0-bb00-0000 index 1
    #
     undo password-control aging enable
     undo password-control length enable
     undo password-control history enable
     password-control login-attempt 3 exceed lock-time 120
    #
     dot1x
     dot1x authentication-method eap
     undo dot1x handshake enable
    #
    radius scheme system
    radius scheme matintra.local
     server-type extended
     primary authentication 192.168.40.10
     accounting optional
     key authentication secret
     timer response-timeout 5
     retry 5
     user-name-format without-domain
     calling-station-id mode mode2 uppercase
    #
    domain matintra.local
     scheme radius-scheme matintra.local
     vlan-assignment-mode string
    domain system
    #
    local-user admin
     service-type ssh telnet terminal
     level 3
    local-user manager
     password simple manager
     service-type ssh telnet terminal
     level 2
    local-user monitor
     password simple monitor
     service-type ssh telnet terminal
     level 1
    #
    acl number 4999
     rule 0 deny dest 0000-0000-0000 ffff-ffff-ffff
    #
    vlan 1
     description Corporate_VLAN
     igmp-snooping enable
    #
    vlan 2
     description NAP_VLAN
    #
    vlan 3
     description Remediation_VLAN
    #
    interface Vlan-interface1
     ip address 192.168.30.2 255.255.255.0
    #LOCCFG. MUST NOT DELETE
    #
    interface Aux1/0/0
    #
    interface Ethernet1/0/1
     stp edged-port enable
     port link-type hybrid
     port hybrid vlan 3 untagged
     undo port hybrid vlan 1
     port hybrid pvid vlan 3
     broadcast-suppression pps 3000
     undo jumboframe enable
     port-security max-mac-count 1
     port-security port-mode userlogin-secure-ext
     port-security guest-vlan 3
     dot1x max-user 1
    #
    interface Ethernet1/0/2
     stp edged-port enable
     broadcast-suppression pps 3000
     packet-filter inbound link-group 4999 rule 0
    #
    interface Ethernet1/0/3
     stp edged-port enable
     broadcast-suppression pps 3000
     packet-filter inbound link-group 4999 rule 0
    #
    interface Ethernet1/0/4
     stp edged-port enable
     broadcast-suppression pps 3000
     packet-filter inbound link-group 4999 rule 0
    #
    interface Ethernet1/0/5
     stp edged-port enable
     broadcast-suppression pps 3000
     packet-filter inbound link-group 4999 rule 0
    #
    interface Ethernet1/0/6
     stp edged-port enable
     broadcast-suppression pps 3000
     packet-filter inbound link-group 4999 rule 0
    #
    interface Ethernet1/0/7
     stp edged-port enable
     broadcast-suppression pps 3000
     packet-filter inbound link-group 4999 rule 0
    #
    interface Ethernet1/0/8
     stp edged-port enable
     broadcast-suppression pps 3000
     packet-filter inbound link-group 4999 rule 0
    #
    interface Ethernet1/0/9
     stp edged-port enable
     broadcast-suppression pps 3000
     packet-filter inbound link-group 4999 rule 0
    #
    interface Ethernet1/0/10
     stp edged-port enable
     broadcast-suppression pps 3000
     packet-filter inbound link-group 4999 rule 0
    #
    interface Ethernet1/0/11
     stp edged-port enable
     broadcast-suppression pps 3000
     packet-filter inbound link-group 4999 rule 0
    #
    interface Ethernet1/0/12
     stp edged-port enable
     broadcast-suppression pps 3000
     packet-filter inbound link-group 4999 rule 0
    #
    interface Ethernet1/0/13
     stp edged-port enable
     broadcast-suppression pps 3000
     packet-filter inbound link-group 4999 rule 0
    #
    interface Ethernet1/0/14
     stp edged-port enable
     broadcast-suppression pps 3000
     packet-filter inbound link-group 4999 rule 0
    #
    interface Ethernet1/0/15
     stp edged-port enable
     broadcast-suppression pps 3000
     packet-filter inbound link-group 4999 rule 0
    #
    interface Ethernet1/0/16
     stp edged-port enable
     broadcast-suppression pps 3000
     packet-filter inbound link-group 4999 rule 0
    #
    interface Ethernet1/0/17
     stp edged-port enable
     broadcast-suppression pps 3000
     packet-filter inbound link-group 4999 rule 0
    #
    interface Ethernet1/0/18
     stp edged-port enable
     broadcast-suppression pps 3000
     packet-filter inbound link-group 4999 rule 0
    #
    interface Ethernet1/0/19
     stp edged-port enable
     broadcast-suppression pps 3000
     packet-filter inbound link-group 4999 rule 0
    #
    interface Ethernet1/0/20
     stp edged-port enable
     broadcast-suppression pps 3000
     packet-filter inbound link-group 4999 rule 0
    #
    interface Ethernet1/0/21
     stp edged-port enable
     broadcast-suppression pps 3000
     packet-filter inbound link-group 4999 rule 0
    #
    interface Ethernet1/0/22
     stp edged-port enable
     broadcast-suppression pps 3000
     packet-filter inbound link-group 4999 rule 0
    #
    interface Ethernet1/0/23
     stp edged-port enable
     broadcast-suppression pps 3000
     packet-filter inbound link-group 4999 rule 0
    #
    interface Ethernet1/0/24
     stp edged-port enable
     broadcast-suppression pps 3000
     packet-filter inbound link-group 4999 rule 0
    #
    interface GigabitEthernet1/0/25
    #
    interface GigabitEthernet1/0/26
    #
    interface GigabitEthernet1/0/27
     shutdown
    #
    interface GigabitEthernet1/0/28
     shutdown
    #TOPOLOGYCFG. MUST NOT DELETE
    #
     undo xrn-fabric authentication-mode
    #GLBCFG. MUST NOT DELETE
    #
    interface NULL0
    #
     voice vlan mac-address 0001-e300-0000 mask ffff-ff00-0000 description Siemens AG phone
     voice vlan mac-address 0004-0d00-0000 mask ffff-ff00-0000 description Avaya phone
     voice vlan mac-address 0013-1900-0000 mask ffff-ff00-0000 description Cisco 7960 phone
     voice vlan mac-address 0015-2b00-0000 mask ffff-ff00-0000 description Cisco 7940 phone
     voice vlan mac-address 0060-b900-0000 mask ffff-ff00-0000 description Philips and NEC AG phone
    #
     ip route-static 0.0.0.0 0.0.0.0 192.168.30.1 preference 60
    #
     snmp-agent
     snmp-agent local-engineid 8000002B001EC17D87006877
     snmp-agent community read public
     snmp-agent community write private
     snmp-agent sys-info version all
    #
    user-interface aux 0 7
     authentication-mode none
     screen-length 22
    user-interface vty 0 4
     authentication-mode scheme
    #
    return
    ################################################

     

     

     

    Friday, May 7, 2010 6:29 AM

Answers

  • Hi,

    Thank you for your post here.

    From the description, NPS audit logs are not logged in Event Log for 802.1X enforcement while it is logged in NPS log file properly.

    1. Please double check the NPS log settings with the following command

    netsh nps show eventlog

    2. NPS auditing log will format message based on locale setting.  Please make sure OS has corresponding language package installed matches with system "locale" setting. If not, change system locale to "English(Unite State)".
    a). Start->Control Panel->Regional and Language Options
    b). Click "Administrative" Tab, then click "Change system locale..." button.
    c). Select "English (United States)", click OK and reboot the computer to check how it works.

     

    If you have any questions or concerns, please do not hesitate to let me know.

     

     

     

     

     

     

     

    • Marked as answer by maettu99 Tuesday, May 11, 2010 8:58 AM
    Monday, May 10, 2010 6:30 AM
  • From a quick glance...

    Remove the individual:

    dot1x

    You're using port-security (a superset of mac auth and dot1x) and not dot1x alone... (You still need the other two dot1x commands though).

    Also remove:

    port-security oui 00e0-bb00-0000 index 1

    ... as you're not authenticating using that method.

    I have the same switch here working with the following relevant bits of config:

     radius trap authentication-server-down
     radius trap accounting-server-down

     domain default enable yourdomain

     port-security enable
     port-security trap addresslearned
     port-security trap intrusion
     port-security trap dot1xlogon
     port-security trap dot1xlogoff
     port-security trap dot1xlogfailure
     port-security trap ralmlogon
     port-security trap ralmlogoff
     port-security trap ralmlogfailure

     dot1x quiet-period
     dot1x timer quiet-period 10
     dot1x timer tx-period 5
     dot1x retry 1
     dot1x auth-fail-retry 0
     dot1x authentication-method eap
     undo dot1x handshake enable

     MAC-authentication domain yourdomain
     MAC-authentication authmode usernamefixed
     MAC-authentication authusername yourmacauthusername
     MAC-authentication authpassword somesecret

    radius scheme yourscheme
     server-type standard
     primary authentication 192.168.0.1
     primary accounting 192.168.0.1
     accounting optional
     key authentication somesecret
     key accounting somesecret
     accounting-on enable
     calling-station-id mode mode2 uppercase

    domain yourdomain
     scheme radius-scheme yourscheme
     accounting radius-scheme yourscheme
     vlan-assignment-mode vlan-list

    interface Ethernet1/0/1
     stp edged-port enable
     port link-type hybrid
     port hybrid vlan 2 untagged
     undo port hybrid vlan 1
     port hybrid pvid vlan 2
     broadcast-suppression pps 3000
     port-security max-mac-count 1
     port-security port-mode userlogin-secure-or-mac
     port-security intrusion-mode blockmac
     dot1x max-user 1
     dot1x unicast-trigger
     MAC-authentication max-auth-num 1

    F.Y.I. 3.3.2p09 is out with some useful 802.1X fixes... (Update in 2014, 3.3.2p22 is the latest now.)




    • Marked as answer by maettu99 Tuesday, May 11, 2010 8:58 AM
    • Edited by Nick Lowe Tuesday, February 25, 2014 2:46 AM
    Monday, May 10, 2010 2:16 PM

All replies

  • Hi,

    Thank you for your post here.

    From the description, NPS audit logs are not logged in Event Log for 802.1X enforcement while it is logged in NPS log file properly.

    1. Please double check the NPS log settings with the following command

    netsh nps show eventlog

    2. NPS auditing log will format message based on locale setting.  Please make sure OS has corresponding language package installed matches with system "locale" setting. If not, change system locale to "English(Unite State)".
    a). Start->Control Panel->Regional and Language Options
    b). Click "Administrative" Tab, then click "Change system locale..." button.
    c). Select "English (United States)", click OK and reboot the computer to check how it works.

     

    If you have any questions or concerns, please do not hesitate to let me know.

     

     

     

     

     

     

     

    • Marked as answer by maettu99 Tuesday, May 11, 2010 8:58 AM
    Monday, May 10, 2010 6:30 AM
  • From a quick glance...

    Remove the individual:

    dot1x

    You're using port-security (a superset of mac auth and dot1x) and not dot1x alone... (You still need the other two dot1x commands though).

    Also remove:

    port-security oui 00e0-bb00-0000 index 1

    ... as you're not authenticating using that method.

    I have the same switch here working with the following relevant bits of config:

     radius trap authentication-server-down
     radius trap accounting-server-down

     domain default enable yourdomain

     port-security enable
     port-security trap addresslearned
     port-security trap intrusion
     port-security trap dot1xlogon
     port-security trap dot1xlogoff
     port-security trap dot1xlogfailure
     port-security trap ralmlogon
     port-security trap ralmlogoff
     port-security trap ralmlogfailure

     dot1x quiet-period
     dot1x timer quiet-period 10
     dot1x timer tx-period 5
     dot1x retry 1
     dot1x auth-fail-retry 0
     dot1x authentication-method eap
     undo dot1x handshake enable

     MAC-authentication domain yourdomain
     MAC-authentication authmode usernamefixed
     MAC-authentication authusername yourmacauthusername
     MAC-authentication authpassword somesecret

    radius scheme yourscheme
     server-type standard
     primary authentication 192.168.0.1
     primary accounting 192.168.0.1
     accounting optional
     key authentication somesecret
     key accounting somesecret
     accounting-on enable
     calling-station-id mode mode2 uppercase

    domain yourdomain
     scheme radius-scheme yourscheme
     accounting radius-scheme yourscheme
     vlan-assignment-mode vlan-list

    interface Ethernet1/0/1
     stp edged-port enable
     port link-type hybrid
     port hybrid vlan 2 untagged
     undo port hybrid vlan 1
     port hybrid pvid vlan 2
     broadcast-suppression pps 3000
     port-security max-mac-count 1
     port-security port-mode userlogin-secure-or-mac
     port-security intrusion-mode blockmac
     dot1x max-user 1
     dot1x unicast-trigger
     MAC-authentication max-auth-num 1

    F.Y.I. 3.3.2p09 is out with some useful 802.1X fixes... (Update in 2014, 3.3.2p22 is the latest now.)




    • Marked as answer by maettu99 Tuesday, May 11, 2010 8:58 AM
    • Edited by Nick Lowe Tuesday, February 25, 2014 2:46 AM
    Monday, May 10, 2010 2:16 PM
  • First I changed the system locale to "English (United States)" as mentioned from Miles Li

    Please make sure OS has corresponding language package installed matches with system "locale" setting. If not, change system locale to "English(Unite State)".
    a). Start->Control Panel->Regional and Language Options
    b). Click "Administrative" Tab, then click "Change system locale..." button.
    c). Select "English (United States)", click OK and reboot the computer to check how it works.

    After that, event logging in NPS now works perfectly.

    Thanks a lot Miles!

    #####################################################################################################

    Then I updated the switch to software version p09 and did the configuration changes as mentioned from Nick Lowe

    After that, dot1x authentication now works perfectly.

    Thanks a lot Nick!

    appreciate all your help

    regards from switzerland
    mat

    Tuesday, May 11, 2010 8:58 AM
  • I am looking to find step by step configuration of Network Access Protection and 802.1x configuration on  3com 5500-EI  switch 

    with subneting and VLANs Configuration if any body have please email me on zaheermallah@hotmail.com

    For example i have 

    60 Switches

    20 Server 

    and 1024 client desktop systems 

     

    Tuesday, January 17, 2012 9:46 AM
  • Done,

    But i have 3 issues after my successful test lab; please help me to override them:

    1-our network is based on 3com switches 3226,4500,5500 about 400 switch so when i do these commands i can't login to my switches using hyper terminal or telnet or even ssh but i can login using the web interface and i don't know it seems the mac-address authentication commands 

    2-our biggest problem that we decided to perform Nap with Dot1x is we want the pcs when they are outside of the domain being in the remediation vlan (in my case for the Non-Nap or the Non-Compliant pcs is 10 ) but when i configured my test lab all the time the pc even it didn't do the tests or being joined to the domain stays in the healthy vlan (in my case is 3) and we want the pc that outside of the domain being in the remediation vlan (vlan 10) not (vlan 3)

    3-we are putting the mac address static on every port in our campus and when with our lab i can't and it seems because of the port security and mac address authentication as well 

    so how i can solve these issues with 3com switches to work  great with Nap .

    Friday, May 25, 2012 10:23 AM
  • Done,

    But i have 3 issues after my successful test lab; please help me to override them:

    1-our network is based on 3com switches 3226,4500,5500 about 400 switch so when i do these commands i can't login to my switches using hyper terminal or telnet or even ssh but i can login using the web interface and i don't know it seems the mac-address authentication commands 

    2-our biggest problem that we decided to perform Nap with Dot1x is we want the pcs when they are outside of the domain being in the remediation vlan (in my case for the Non-Nap or the Non-Compliant pcs is 10 ) but when i configured my test lab all the time the pc even it didn't do the tests or being joined to the domain stays in the healthy vlan (in my case is 3) and we want the pc that outside of the domain being in the remediation vlan (vlan 10) not (vlan 3)

    3-we are putting the mac address static on every port in our campus and when with our lab i can't and it seems because of the port security and mac address authentication as well 

    so how i can solve these issues with 3com switches to work  great with Nap .

    Friday, May 25, 2012 10:24 AM