Comware

Hello,

I'm using the switch belong and I'm running PD.02.06 firmware, which is the newest. Here is my switch config:

!Current Configuration:
!
!System Description "HPE OfficeConnect Switch 1920S 48G 4SFP JL382A, PD.02.06, Linux 3.6.5-a07f8920, U-Boot 2012.10-00118-g3773021 (Oct 11 2016 - 15:39:54)"
!System Software Version "PD.02.06"
!System Up Time          "0 days 2 hrs 55 mins 11 secs"
!Additional Packages     HPE QOS,HPE IPv6 Management,HPE Routing
!Current SNTP Synchronized Time: Oct 17 13:20:38 2018 UTC
!
network protocol none
network parms 172.24.1.11 255.255.255.0 172.24.1.254
vlan database
vlan 2-5,42-43,126
vlan name 2 "VoIP"
vlan name 3 "Lab"
exit
ip http secure-server
ip http secure-protocol TLS1
ip ssh server enable
ip ssh protocol 2
configure
sntp client mode unicast
sntp server "192.168.100.254"
sntp server "192.168.100.38"
sntp server "192.168.100.39"
clock summer-time recurring EU offset 60
time-range Schedule-1
exit
time-range Schedule-2
exit
username "admin" password XXX level 15 encrypted
no username guest
dot1x system-auth-control monitor
aaa authentication dot1x default radius
authorization network radius
dot1x dynamic-vlan enable
voice vlan
radius accounting mode
radius server host auth "172.24.43.43" name "freeradius-virt"
radius server key auth "172.24.43.43" encrypted XXX
radius server primary "172.24.43.43"
radius server attribute 4 172.24.1.11
radius server host acct "172.24.43.43" name radius-virt
radius server key acct "172.24.43.43" encrypted XXX
radius server host acct "172.24.2.144" name freeradius-virt-2
radius server key acct "172.24.2.144" encrypted XXX
line console
exit
line telnet
exit
line ssh
exit
port-channel linktrap TRK 1
port-channel linktrap TRK 2
[…]
snmp-server sysname "here"
snmp-server location "Redroom"
snmp-server contact "me@mail.tld"
!
port-security
interface 1
mtu 9000
vlan participation exclude 3-4
vlan participation include 2,43
vlan tagging 2,43
exit
interface 2
voice vlan 2
dot1x pae supplicant
mtu 9000
vlan acceptframe admituntaggedonly
vlan participation include 2,43
vlan tagging 2,43
exit

According to the documentation I have to enable the Administrative Mode. 

First I tried it in the GUI: Enable it, clicking on save and then on apply. Each time, when I click on "apply" the ssh server and also the webserver get a timeout. The only way to restart the switch is to pull the power cable. After I'm online again and logged in, I notice, that the Administrative Mode is disabled. When I don't use "save config" and I just use "apply" it also freezes. That's the reason why I tried to configure the switch via SSH:

(HPE Routing) (Config)#show dot1x

Administrative Mode............... Disabled
VLAN Assignment Mode.............. Enabled
Dynamic VLAN Creation Mode........ Enabled
Monitor Mode...................... Enabled
EAPOL Flood Mode.................. Disabled

(HPE Routing) (Config)#dot1x ?

dynamic-vlan		 Configure dot1x dynamic vlan creation parameters.
eapolflood		 Enable/Disable EAPOL flood support on the switch.
port-control		 Set the authentication mode on the specified port.
system-auth-control	 Enable/Disable authentication support on the
switch.
user			 Add/Remove user from the list with access to the
			 specified port.

I'm missing a way to enable the Administrative Mode with dot1x. 

Can you give me an advise?

Thx

Did you find a way to this mistake ?

@Giulian wrote:

Did you find a way to this mistake ?

---

I'm not sure, what you want to say. 

Right now, I wasn't able to solve the described mistake below . How can I enable the 802.1X settings? When I try it in the steps described below, it's not possible to enable it on the switch.

Do you have a similar problem or can help me to solve my problem?

Yes i have same and i want to activate 802.1x like you

you need to use CLI, thos model is particular cause you can t activate telnet or SSH in GUI mode so you need to follow this :

I find the good solution

You need to put  "Force Authorized" on controle mode value for the port where you are connected for manage you re switch and after you can activate administrative mode for  the switch.

if you don t do that before the port where you are connect wait for an radius authentication so if you can t have you lost connection.

---

@Giulian wrote:

you need to use CLI, thos model is particular cause you can t activate telnet or SSH in GUI mode so you need to follow this :

yes I know I already did that.

@Giulian wrote:

I find the good solution

You need to put  "Force Authorized" on controle mode value for the port where you are connected for manage you re switch and after you can activate administrative mode for  the switch.

if you don t do that before the port where you are connect wait for an radius authentication so if you can t have you lost connection.

---

Where did you changed that in the GUI or where via SSH? I don't have the full GUI in my mind.

The network design:

I run a Freeradius and want to test with user+password. The switch is right now added into the local DNS and have a static ip-adress. I use a laptop for testing, which should be a supplicant on one port. On other ports its not active and I have network access but not as desired.

Thx for your answer!

On GUI

SECURITY / Port Access Control /

Select Port 1 for example and then EDIT

Authenticator Options / Choose Force Authorized