Comware

 View Only
last person joined: 16 hours ago 

Back to discussions
Expand all | Collapse all

Wired authentication failed

This thread has been viewed 2 times

  • 1.  Wired authentication failed

    Posted Jan 24, 2017 07:58 AM

    Hi,

    i have configured HP A5500 switch to authenticate users on the ports with NPS server

    the switch configurations is as follows

    dot1X

    radius nas-ip 10.211.0.53
    dot1x authentication-method eap

    mac-authentication domain fmcdom

    radius scheme radius1
    primary authentication 10.211.0.53
    primary accounting 10.211.0.53
    key authentication cipher $c$3$OiaiAtppjUk0DHbORW5XZKm8/UAy5nWq
    key accounting cipher $c$3$BiHDcmLUymY2hKlsasEbfhxp5jpIo1jx
    nas-ip 10.211.0.53

    domain system
    authentication lan-access radius-scheme radius1 local
    authorization lan-access radius-scheme radius1 local
    accounting lan-access radius-scheme radius1 local
    access-limit enable 30
    state active
    idle-cut enable 20 10240
    self-service-url disable

     

    then port settings

    port access vlan 11
    dot1x

     

    =============================

    but when i connect the cable it give authentication failed with my domain\username in the log....

     

    can anyone help please

    i need to configure this feature to authenticate computers with domain valid domain account on the network rather than using port-security.

     

     

    thanks


    #802.1x
    #dot1x


  • 2.  RE: Wired authentication failed

    Posted Jan 26, 2017 06:56 PM

    In the port configuration, try these parameters:

     

    undo dot1x handshake
 dot1x mandatory-domain fmcdom
 dot1x port-method portbased
 dot1x


  • 3.  RE: Wired authentication failed

    Posted Jan 30, 2017 12:46 AM

    still the same

    how to know where the problem is?

    [FMC-Mezz-A2]dis dot1x inter g5/0/1
    Equipment 802.1X protocol is enabled
    EAP authentication is enabled
    EAD quick deploy is disabled

    Configuration: Transmit Period 30 s, Handshake Period 15 s
    Quiet Period 60 s, Quiet Period Timer is disabled
    Supp Timeout 30 s, Server Timeout 100 s
    Reauth Period 3600 s
    The maximal retransmitting times 2
    EAD quick deploy configuration:
    EAD timeout: 30 m

    The maximum 802.1X user resource number is 1024 per slot
    Total current used 802.1X resource number is 0

    GigabitEthernet5/0/1 is link-up
    802.1X protocol is enabled
    Handshake is disabled
    Handshake secure is disabled
    802.1X unicast-trigger is disabled
    802.1X user-ip freeze is disabled
    Periodic reauthentication is enabled
    The port is an authenticator
    Authentication Mode is Auto
    Port Control Type is Port-based
    802.1X Multicast-trigger is enabled
    Mandatory authentication domain: fmcdom
    Guest VLAN: NOT configured
    Auth-Fail VLAN: NOT configured
    Critical VLAN: NOT configured
    Critical recovery-action: NOT configured
    Max number of on-line users is 256

    EAPOL Packet: Tx 519, Rx 85
    Sent EAP Request/Identity Packets : 477
    EAP Request/Challenge Packets: 0
    EAP Success Packets: 0, Fail Packets: 29
    Received EAPOL Start Packets : 31
    EAPOL LogOff Packets: 0
    EAP Response/Identity Packets : 34
    EAP Response/Challenge Packets: 0
    Error Packets: 0

    Controlled User(s) amount to 0



  • 4.  RE: Wired authentication failed

    Posted Jan 30, 2017 08:25 AM

    is there any configuration template that i can use it?

    contains port configuration and switch global configuration ?

     

    thanks



  • 5.  RE: Wired authentication failed

    Posted Jan 30, 2017 09:42 AM

    Don't get me wrong but you have set your NAS-IP to the same as your radius server IP

    As Per RFC2865:

    This Attribute indicates the identifying IP Address of the NAS which is requesting authentication of the user, and SHOULD be unique to the NAS within the scope of the RADIUS server. NAS-IP-Address is only used in Access-Request packets.  Either NAS-IP-Address or NAS-Identifier MUST be present in an Access-Request packet.

    so this suppossed to be the source IP of your switch requesting at the RADIUS, do you have the NAS-IPÜ (switch IP configured at the RADIUS as RADIUS client with the same secret ? otherwise your RADIUS (NPS) is not answering the request et all



  • 6.  RE: Wired authentication failed

    Posted Jan 31, 2017 02:05 AM

    thanks for the information, now my configs are as follows

     


    radius nas-ip 10.211.10.18
    domain default enable system
    dot1x
    dot1x authentication-method eap
    radius scheme radius1
    primary authentication 10.211.0.53
    primary accounting 10.211.0.53
    key authentication cipher password
    key accounting cipher password
    user-name-format without-domain
    nas-ip 10.211.10.18
    #
    domain system
    authentication lan-access radius-scheme radius1 local
    authorization lan-access radius-scheme radius1 local
    accounting lan-access radius-scheme radius1 local
    access-limit enable 30
    state active
    idle-cut enable 20 10240
    self-service-url disable

     

    interface GigabitEthernet5/0/1
    port link-mode bridge
    port access vlan 11
    undo voice vlan mode auto
    voice vlan 110 enable
    apply poe-profile index 1
    stp edged-port enable
    dot1x re-authenticate
    undo dot1x handshake
    dot1x mandotory-domain system
    dot1x port-method portbased
    dot1x

     

    is it correct?

     



  • 7.  RE: Wired authentication failed

    Posted Feb 16, 2017 04:27 AM

    What happens on your RADIUS, did you already debug messages to / from it ?

    Do you see ACCESS_request messages arriving ?

    Does your RADIUS answers with ACCESS_accept ?