Inclined readers,
Maybe I was just too stupid to find the correct document that describes the desired solution, so please don't flame me if it is obvious. However I found contradictionary results when googling, so I thought it to be the best idea to bring my issue to the community...
Our customer's requirements are:
•They want to use 802.1x authentication using PEAP/TLS on all Edge-Ethernet ports where possible
•For devices not supporting PEAP/TLS there should be an automatic fallback to MAC authentication also handled by the RADIUS server, so that there is no need to reconfigure the port if you connect a known 802.1x incapable device..
The environment consists of
1. Several 5406zl
2. Several 5406Rzl
3. A few 2920s
4. A few 2910s
THe document that contained the most information for me is
ftp://ftp.hp.com/pub/networking/software/2900yl-ASG-0207-T_12_XX-9-8021X.pdf
Quote:
Port-Based 802.1X can operate concurrently with Web-Authentication or
MAC-Authentication on the same port. However, this is not a commonly used
application and is not generally recommended.
In fact I don't want them to operate concurrently but only if EAP fails.
My questions are:
Is there any best practice way to do that on HP?
I have configured similar environments with switches from another vendor (by far not as prestigious as HP), so I think it'll not be impossible
If yes, could you point out the main steps? (I do not expect you guys to put together all the commands, just a very rough outline how to do it would be very nice)
If someone's got such a setup running, what is your experience with daily operations?
Thanks in advance for any piece of advice!
Greetings from Austria,
George