Wired Intelligent Edge

 View Only
last person joined: 21 hours ago 

Bring performance and reliability to your network with the HPE Aruba Networking Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of your switching devices, and find ways to improve security across your network to bring together a mobile-first solution
Expand all | Collapse all

HP ProCurve 2520G-8-PoE RADIUS MAC-Adress Authentication doesn't work

This thread has been viewed 0 times
  • 1.  HP ProCurve 2520G-8-PoE RADIUS MAC-Adress Authentication doesn't work

    Posted Sep 25, 2013 08:27 AM

    Dear HP-Community

     

    For testing, I've set up a little VLAN with an HP ProCurve 2520G-8-PoE ,a Proliant DL380R G4 with Windows Server 2008 system and a NPS for the RADIUS authentication  and a normal windows 7 client for testing the authentication. 

     

    Now I have followed the "How to configure MAC authentication on a ProCurve switch"-Manual for configuring the right parameters. The only difference is that I also enabled the EAP-MSCHAPv2 encryption, because Windows 7 doesn't support CHAP.

     

    Unfortunately my NPS's blocking the client. The error-messages says, that the username and password are wrong:

    er Netzwerkrichtlinienserver verweigerte einem Benutzer den Zugriff.
    
    Wenden Sie sich an den Administrator des Netzwerkrichtlinienservers, um weitere Informationen zu erhalten.
    
    Benutzer:
    	Sicherheits-ID:			NULL SID
    	Kontoname:				009c021b1458
    	Kontodomäne:				UEB
    	Vollqualifizierter Kontoname:		UEB\00-9c-02-1b-14-58
    
    Clientcomputer:
    	Sicherheits-ID:			NULL SID
    	Kontoname:				-
    	Vollqualifizierter Kontoname:		-
    	Betriebssystemversion:			-
    	Empfänger-ID:				84-34-97-43-5f-9d
    	Anrufer-ID:				00-9c-02-1b-14-58
    
    NAS:
    	NAS-IPv4-Adresse:			192.168.210.51
    	NAS-IPv6-Adresse:			-
    	NAS-ID:					UEBSW01
    	NAS-Porttyp:				Ethernet
    	NAS-Port:				3
    
    RADIUS-Client:
    	Clientanzeigenname:				UEBSW01
    	Client-IP-Adresse:			192.168.210.51
    
    Authentifizierungsdetails:
    	Name der Verbindungsanforderungsrichtlinie:	GABRIEL
    	Netzwerkrichtlinienname:		-
    	Authentifizierungsanbieter:		Windows
    	Authentifizierungsserver:		UEBSRV.ueb.lokal
    	Authentifizierungstyp:		MD5-CHAP
    	EAP-Typ:			-
    	Kontositzungs-ID:		-
    	Protokollierungsergebnisse:			Die Kontoinformationen wurden in die lokale Protokolldatei geschrieben.
    	Ursachencode:			16
    	Ursache:				Authentifizierungsfehler aufgrund der Nichtübereinstimmung von Benutzeranmeldeinformationen. Der angegebene Benutzername ist keinem vorhandenen Benutzerkonto zugeordnet, oder das Kennwort war falsch.

     The message is in german, but i hope you get the important information.

     

    I 've  also tried it with different syntaxes, but nothing helped.
     
    Do you perhaps have a solution?
     
    Kind regards
     
    gabeBU

    #HPProcurve
    #WindowsServer2008
    #RADIUS-Server
    #MAC-Authentication
    #Radius


  • 2.  RE: HP ProCurve 2520G-8-PoE RADIUS MAC-Adress Authentication doesn't work

    Posted Oct 23, 2013 02:53 PM

     

    EAP-MSCHAPv2 is for 802.1x, not for mac-address based authentication.

     

    Given the light level of security if you are doing pure mac-based authentication, it would be silly of any RADIUS server to not support CHAP or basic RADIUS authentication.  It's not like, if you're going to allow anyone who can spoof a MAC address on, you really care that their MAC address and its hash are encryped across the wire from the NAS to the AAA server, and if you did, you'd tunnel it through IPSEC before it hot the Internet anyway.  My suggestion might be to consider using a real RADIUS server like FreeRADIUS or radiator, unless you have a compelling reason to use NPS.

     

     



  • 3.  RE: HP ProCurve 2520G-8-PoE RADIUS MAC-Adress Authentication doesn't work

    Posted Oct 29, 2013 12:10 PM

    The reason is, that i have to use the NPS, these are the specifications of my boss.  

    Also, i HAVE enabled CHAP AND EAP-MSCHAPv2 both at the same time.