Comware

I seem to have the HP 2650 setup correctly but am still having issues getting it to authenticate through the MS IAS service. using MD5-CHAP, and have set the users password to store passwords using reversible encryption. And password never expires.

I have tried the setting that others in the forums have used, but is still not working for me.

This is my setup.

Error:
User 000bdb7bdcbe was denied access.
Fully-Qualified-User-Name = xxx.xxx.xx.xx/Users/000bdb7bdcbe
NAS-IP-Address = 192.168.134.37
NAS-Identifier = Radius Test Switch
Called-Station-Identifier = 00-30-6e-e3-71-ff
Calling-Station-Identifier = 00-0b-db-7b-dc-be
Client-Friendly-Name = Radius test
Client-IP-Address = 192.168.134.37
NAS-Port-Type = Ethernet
NAS-Port = 1
Proxy-Policy-Name = Radius Domain Test
Authentication-Provider = Windows
Authentication-Server = <UNDETERMINED>
Policy-Name = Radius Test 1
Authentication-Type = MD5-CHAP
EAP-Type = <UNDETERMINED>
Reason-Code = 66
Reason = The user attempted to use an authentication method that is not enabled on the matching remote access policy.

In IAS, setup radius Client, which is the HP 2650, with ip address and secret name, triple checked secret name.

Remote access policies:
Windows Group Matches, Domain\Radius Access Group
Allow Access on through: Ethernet
Authentication: EAP Methods: MD5-Challenge
Encryption all checked.

Went through the 2600-*.pdf to set up switch for mac-based authentication.

What is the Vendor ID for the 2650?

Advanced:
Service type: Framed
Tunnel-Medium-Type: 802
Tunnel-PVT-Group-ID: 903 (VLAN ID)
Tunnel-Type: Virtual LANS
Framed-Protocol: PPP

Granted Remote Access Permission

Any help would be greatly appreciated


</UNDETERMINED></UNDETERMINED>

Hi,

Some of the thing that you can check for -

(1) The username/password for a MAC auth user should be the MAC address itself

(2) In the "Remote Access Profile", check for the -
Settings Tab
- Add Policy condition for NAS Port Type
matching "Ethernet"

Dial-in Constraints Tab
- Select "Allow access only through these media (NAS-Port-Type)
- Select "Ethernet"

Authentication Tab
- CHAP option should be selected
- If you have some other authentication
enabled on the switch then, select them
as well in this tab

Advanced Tab
- Framed-Protocol (Radius Standard) PPP
- Service Type (Radius Standard) Framed

(3) In "Connection Request Policies" under
IAS->Connection Request Processing -

- Use Windows authentication for all users
- Add Policy condition as "Ethernet"

I have similar setup at my end and im able to see the users authentication via MAC-Auth.

Please let me know if the things mentioned did help.

Thanks,
Nameesh.

Nameesh,

1. the username and password are the same.

2. Done, only want to use the MD5 Challenge

3. Unable to find use windows authentication in that section.

Thanks

Nameesh,

It is working now.

Thanks

Hi Dhillsr,

Thats great !!
Did you do anything different to make it
work or did the steps that I sent help you ?

Cheers,
Nameesh.
Ps:
Don't forget to give the points :)

I used the steps you gave me, along with what I had already done.

Works great.

Thanks

Thanks for all of your help.