NAP 802.1x Step-by-Step Guide with 3com 4500 Switch

All replies

• 

  

  0

  Sign in to vote

  Hi,

  Thank you for your post here.

  From the description, NPS audit logs are not logged in Event Log for 802.1X enforcement while it is logged in NPS log file properly.

  1. Please double check the NPS log settings with the following command

  netsh nps show eventlog

  2. NPS auditing log will format message based on locale setting.  Please make sure OS has corresponding language package installed matches with system "locale" setting. If not, change system locale to "English(Unite State)".
  a). Start->Control Panel->Regional and Language Options
  b). Click "Administrative" Tab, then click "Change system locale..." button.
  c). Select "English (United States)", click OK and reboot the computer to check how it works.

   

  If you have any questions or concerns, please do not hesitate to let me know.

   

   

   

   

   

   

   

  • Marked as answer by maettu99 Tuesday, May 11, 2010 8:58 AM

  Monday, May 10, 2010 6:30 AM
• 

  

  0

  Sign in to vote

  From a quick glance...

  Remove the individual:

  dot1x

  You're using port-security (a superset of mac auth and dot1x) and not dot1x alone... (You still need the other two dot1x commands though).

  Also remove:

  port-security oui 00e0-bb00-0000 index 1

  ... as you're not authenticating using that method.

  I have the same switch here working with the following relevant bits of config:

   radius trap authentication-server-down
   radius trap accounting-server-down

   domain default enable yourdomain

   port-security enable
   port-security trap addresslearned
   port-security trap intrusion
   port-security trap dot1xlogon
   port-security trap dot1xlogoff
   port-security trap dot1xlogfailure
   port-security trap ralmlogon
   port-security trap ralmlogoff
   port-security trap ralmlogfailure

   dot1x quiet-period
   dot1x timer quiet-period 10
   dot1x timer tx-period 5
   dot1x retry 1
   dot1x auth-fail-retry 0
   dot1x authentication-method eap
   undo dot1x handshake enable

   MAC-authentication domain yourdomain
   MAC-authentication authmode usernamefixed
   MAC-authentication authusername yourmacauthusername
   MAC-authentication authpassword somesecret

  radius scheme yourscheme
   server-type standard
   primary authentication 192.168.0.1
   primary accounting 192.168.0.1
   accounting optional
   key authentication somesecret
   key accounting somesecret
   accounting-on enable
   calling-station-id mode mode2 uppercase

  domain yourdomain
   scheme radius-scheme yourscheme
   accounting radius-scheme yourscheme
   vlan-assignment-mode vlan-list

  interface Ethernet1/0/1
   stp edged-port enable
   port link-type hybrid
   port hybrid vlan 2 untagged
   undo port hybrid vlan 1
   port hybrid pvid vlan 2
   broadcast-suppression pps 3000
   port-security max-mac-count 1
   port-security port-mode userlogin-secure-or-mac
   port-security intrusion-mode blockmac
   dot1x max-user 1
   dot1x unicast-trigger
   MAC-authentication max-auth-num 1

  F.Y.I. 3.3.2p09 is out with some useful 802.1X fixes... (Update in 2014, 3.3.2p22 is the latest now.)
  

  
  
  
  

  • Marked as answer by maettu99 Tuesday, May 11, 2010 8:58 AM
  • Edited by Nick Lowe Tuesday, February 25, 2014 2:46 AM

  Monday, May 10, 2010 2:16 PM
• 

  

  0

  Sign in to vote

  First I changed the system locale to "English (United States)" as mentioned from Miles Li

  Please make sure OS has corresponding language package installed matches with system "locale" setting. If not, change system locale to "English(Unite State)".
  a). Start->Control Panel->Regional and Language Options
  b). Click "Administrative" Tab, then click "Change system locale..." button.
  c). Select "English (United States)", click OK and reboot the computer to check how it works.

  After that, event logging in NPS now works perfectly.

  Thanks a lot Miles!

  #####################################################################################################

  Then I updated the switch to software version p09 and did the configuration changes as mentioned from Nick Lowe

  After that, dot1x authentication now works perfectly.

  Thanks a lot Nick!

  appreciate all your help

  regards from switzerland
  mat

  Tuesday, May 11, 2010 8:58 AM
• 

  

  0

  Sign in to vote

  I am looking to find step by step configuration of Network Access Protection and 802.1x configuration on  3com 5500-EI  switch 

  with subneting and VLANs Configuration if any body have please email me on zaheermallah@hotmail.com

  For example i have 

  60 Switches

  20 Server 

  and 1024 client desktop systems 

   

  Tuesday, January 17, 2012 9:46 AM
• 

  

  0

  Sign in to vote

  Done,

  But i have 3 issues after my successful test lab; please help me to override them:

  1-our network is based on 3com switches 3226,4500,5500 about 400 switch so when i do these commands i can't login to my switches using hyper terminal or telnet or even ssh but i can login using the web interface and i don't know it seems the mac-address authentication commands 

  2-our biggest problem that we decided to perform Nap with Dot1x is we want the pcs when they are outside of the domain being in the remediation vlan (in my case for the Non-Nap or the Non-Compliant pcs is 10 ) but when i configured my test lab all the time the pc even it didn't do the tests or being joined to the domain stays in the healthy vlan (in my case is 3) and we want the pc that outside of the domain being in the remediation vlan (vlan 10) not (vlan 3)

  3-we are putting the mac address static on every port in our campus and when with our lab i can't and it seems because of the port security and mac address authentication as well 

  so how i can solve these issues with 3com switches to work  great with Nap .

  Friday, May 25, 2012 10:23 AM
• 

  

  0

  Sign in to vote

  Done,

  But i have 3 issues after my successful test lab; please help me to override them:

  1-our network is based on 3com switches 3226,4500,5500 about 400 switch so when i do these commands i can't login to my switches using hyper terminal or telnet or even ssh but i can login using the web interface and i don't know it seems the mac-address authentication commands 

  2-our biggest problem that we decided to perform Nap with Dot1x is we want the pcs when they are outside of the domain being in the remediation vlan (in my case for the Non-Nap or the Non-Compliant pcs is 10 ) but when i configured my test lab all the time the pc even it didn't do the tests or being joined to the domain stays in the healthy vlan (in my case is 3) and we want the pc that outside of the domain being in the remediation vlan (vlan 10) not (vlan 3)

  3-we are putting the mac address static on every port in our campus and when with our lab i can't and it seems because of the port security and mac address authentication as well 

  so how i can solve these issues with 3com switches to work  great with Nap .

  Friday, May 25, 2012 10:24 AM