Hello everyone !
I'm working on a projet to configure 802.1x authentication on HP 1920 and HP 2530 switchs, and I need to have a MAC address authentication bypass for dumb terminals (e.g. printers, wireless Access Point...).
I have a RADIUS Server and everything works fine, except for the fact that wireless users have to authenticate twice....
Before 802.1x, I already had a RADIUS server for wireless authentication, and the AP were the RADIUS client.
Now the APs are authenticated through their MAC addresses and the wireless client is first authenticated through the AP with login, and then through the switch with their MAC addresses also. So it doesn't work because their MAC addresses aren't authorized.
I would like to tell the switch to authenticate the first client only, not the other clients on the same port. I know that this mode is called "port-based" as opposed to "mac-based", but it seems that there's an incompatibility with the mac address fallback.
Typically, in my HP 1920 configuration, the "port based" mode is not allowed when mac-authentication is enabled on the port... but without it, my AP doesn't identify on the RADIUS.
For the HP2530, this is slightly different. To be able to have a MAC authentication bypass, I must enter the command "aaa port-access mac-based <port-list>" and I can only do that by entering the command "aaa port-access authenticator <port-list> client-limit <1-32>" first, and then "aaa authentication mac-based chap-radius".
So if I'm "mac-based", I have two authentication mode, one through the AP with login, and the other through the switch with MAC address, which I don't want.
I also have some HUAWEI switch on which I can specifie the user access mode (i.e. multi-share on my case), nonetheless I still can use MAC address bypass.
Does anyone kown how to combine to two things please ?
Thanks a lot.
Camille.