Comware

 View Only

  • 1.  802..1X Fail Comware 5.20.99 Switch HPE 1920

    Posted Mar 05, 2020 03:02 PM

    Hi, 

    I have been having trouble configuring the dynamic vlan on the 5.20.99 comware switches, I'm authenticating on an NPS. Below are the settings:

    #
    dot1x
    dot1x quiet-period
    dot1x timer quiet-period 30
    dot1x retry 3
    dot1x timer handshake-period 30
    dot1x authentication-method eap

    #

     

    radius scheme my.domain
    primary authentication myserver1 1645
    primary accounting myserver1 1646
    key authentication cipher mypass
    key accounting cipher mypass
    user-name-format without-domain
    nas-ip myip
    #
    domain my.domain
    authentication lan-access radius-scheme my.domain
    accounting lan-access radius-scheme my.domain
    access-limit disable
    state active
    idle-cut disable
    self-service-url disable

    #####

    interface GigabitEthernet1/0/34
    port auto-power-down
    stp edged-port enable
    dot1x guest-vlan 300
    dot1x auth-fail vlan 300
    dot1x critical vlan 300
    dot1x critical recovery-action reinitialize
    undo dot1x handshake
    dot1x mandatory-domain my.domain
    dot1x

    ###########

    When authenticating on the computer, the NPS log shows the following:

    Network Policy Server granted access to a user.

    User:
    Security ID: NULL SID
    Account Name: myuser
    Account Domain: -
    Fully Qualified Account Name: -

    Client Machine:
    Security ID: NULL SID
    Account Name: -
    Fully Qualified Account Name: -
    OS-Version: -
    Called Station Identifier: -
    Calling Station Identifier: 00-XX-XX-XX-XX-27

    NAS:
    NAS IPv4 Address: myip
    NAS IPv6 Address: -
    NAS Identifier: SWCORE-GP-CS03-L302
    NAS Port-Type: Ethernet
    NAS Port: 16916481

    RADIUS Client:
    Client Friendly Name: SW-GPSP-CORE02
    Client IP Address: 10.120.0.16

    Authentication Details:
    Connection Request Policy Name: Requisicao_Redirecionamento
    Network Policy Name: -
    Authentication Provider: RADIUS Proxy
    Authentication Server: myip
    Authentication Type: -
    EAP Type: -
    Account Session Identifier: 31323030323035313632306134303130
    Logging Results: Accounting information was written to the local log file.

    Quarantine Information:
    Result: -
    Session Identifier: 

    ####

    Even though NPS is successful, the computer remains with authentication failure. I have this same configuration on comware 3 switches and work normally.

    The only additional configuration that exists in comware 3 is vlan-assignment-mode string, however this configuration is unavailable in comware 5.20.99

    Can you help me?



  • 2.  RE: 802..1X Fail Comware 5.20.99 Switch HPE 1920

    Posted Mar 06, 2020 04:42 AM

    Hello, 

    Please in the domain configuration, configure your radius server also as authorization source for LAN-access. This should look like this in the configuration

    #
    domain my.domain
    authentication lan-access radius-scheme my.domain

    authorization lan-access radius-scheme my.domain

    accounting lan-access radius-scheme my.domain
    access-limit disable
    state active
    idle-cut disable
    self-service-url disable

    On the interface you should make sure that MAC VLAN is enabled, otherwise a dynamic RADIUS VLAN cannot be assigned. MAC VLAN requires also the port to be in link-mode hybrid.

     

     



  • 3.  RE: 802..1X Fail Comware 5.20.99 Switch HPE 1920

    Posted Mar 06, 2020 05:43 AM

    Adding lan-access radius-scheme my.domain authorization solved my problem.

    Thank you very much.



Related Content