locked
Windows 2008 R2 NAP with 802.1X and per user ACL on procurve 2610 switch RRS feed

  • Question

  • Hi All,

    I have setup a NAP with 802.1X POC setup with,
    1. HP Procurve 2610 switch configured with default VLAN and two standard ACL, one named "compliant" and second "noncompliant"
    2. windows 2008 R2 Domain controller
    3. Windows 2008 R2 NAP server
    4. windows 2003 Antivirus & WSUS server
    5. windows xp sp3, vista and windows 7 clients
    6. IEEE 802.1X authentication setting is configured in the swith
    7. Configured the network compliant policy to assign "compliant" ACL to the port using the filter ID attribute.
    8. Configured the network non compliant policy to assign "noncompliant" ACL to the port using the filter ID attribute.

    Status
    -The switch is not applying the ACL in the port

    Request your help in
    1. Identifying the RADIUS attribute to instrcut the procurve switch to apply a static ACL defined in it to a user port.
    2. If it is not possible, help me how to configure a dynamic ACL through vendor specific options in windows 2008 NPS.

    Thursday, October 28, 2010 6:02 AM

Answers

  • Hi Shaji,

    I think you do need to configure other attributes, such as Tunnel-Tag. I just suggest that you remove the VLAN-specific ones such as Tunnel-Pvt-Group-ID.

    I recall that Tunnel-Type was classified different in WS08 vs. Ws08 R2, so the instructions might need to be updated for R2. Let me know if you can't find it.

    I have only worked with VLANs myself, so I might have to find someone else that knows more about HP switches and using ACLs. One thing you could try is to set debug on the switch and watch to make sure that the attribute is recognized. Occasionally this requires updating firmware on the switch. However, you should be able to simply configure the switch with an ACL number, or an ACL name, then input this as the string attribute value. Perhaps you've done all of this already. If so, then  I will try to find an example of a switch config for you to compare.

    -Greg

    Friday, October 29, 2010 6:26 AM

All replies

  • Hi,

    I assume you have read the deployment guide instructions at http://technet.microsoft.com/en-us/library/dd314181(WS.10).aspx

    One thing that might be happening is that some switches do not do well if you configure both the Filter-ID and Tunnel-Pvt-Group-ID attributes, so if you are not using VLANs then I suggest deleting the Tunnel-Pvt-Group-ID attribute from your policies.

    Also, I assume you have verified that the client access request is matching the policy that has the Filter-ID attribute, and not some other policy. If not, please confirm this.

    -Greg

    Friday, October 29, 2010 12:41 AM
  • Hi Greg, Thanks for the response. As per the document http://technet.microsoft.com/en-us/library/dd314181(WS.10).aspx I have configured the vlan option for compliant and noncompliant network policies and is working fine. But I am specifically looking for the ACL option. I have configured only "Filter-ID" attribute[no other attributes in standard and vendor specific radius attributes], for compliant and noncompliant policies pointing to the ACLs defined in the switch. I have checked the NPS logs and which tells, it is processing the respective policies. The client machines are getting authenticated, but no access restriction is applied on the ports. If you need any more details, please let me know. Thanks & regards, Shaji
    Friday, October 29, 2010 5:36 AM
  • Hi Shaji,

    I think you do need to configure other attributes, such as Tunnel-Tag. I just suggest that you remove the VLAN-specific ones such as Tunnel-Pvt-Group-ID.

    I recall that Tunnel-Type was classified different in WS08 vs. Ws08 R2, so the instructions might need to be updated for R2. Let me know if you can't find it.

    I have only worked with VLANs myself, so I might have to find someone else that knows more about HP switches and using ACLs. One thing you could try is to set debug on the switch and watch to make sure that the attribute is recognized. Occasionally this requires updating firmware on the switch. However, you should be able to simply configure the switch with an ACL number, or an ACL name, then input this as the string attribute value. Perhaps you've done all of this already. If so, then  I will try to find an example of a switch config for you to compare.

    -Greg

    Friday, October 29, 2010 6:26 AM
  • Hi Greg, I tried with the suggested attributes, but again failed and the switch debug log is not showing any thing about ACL attempt. [Switch: Hp procurve 2610, IOS: R.11.30, Firmware: R.10.06], I will try it again after updating the IOS and firmware. Why I tried ACL option? ************* We have plan to implement NAP with IEEE 802.1X in our office with, 1. 6 locations with multiple networks (VLANs) in each location - single forest, single domain and DC,DNS,GC in each location, DHCP centralized and antivirus(symantec)&Patch(WSUS) servers one in each location. 2. Desktop and Laptop users 3. Wired and wireless 4. Static and roaming clients 5. No VPN users We have decided to create one AD group for each network and add computers to it and configure one policy each for each network and one group for computers with NO nap. If I am going with this, how will I address the roaming laptops (laptops connects to different networks) **************** One more doubt I have, if we are using the default WSHA and WSHV is, How the NAP server decides the patch level is up-to-date? Will it contact the WSUS server to make that decision? Or Internet is required in the NAP server to contact MS security center to make that decision. How the NAP server decides the antivirus signature is up-to-date? Will it contact the Antivirus defenition server or MS security center? Thanks & Regards, Shaji
    Thursday, November 4, 2010 11:47 AM