Security

Hello,

we trying to configure the 802.1x activation on the HP Comware 7 switch with Clearpass 6.12.1 the Switch configuration is:

Switch Comware 7:
#
port-security enable
port-security mac-move permit
dot1x authentication-method eap
mac-authentication domain clearpass.radius.tacacs
#
radius scheme Clearpass.radius
primary authentication xxx.xxx.xxx.xxx key simple xxxxxx
primary accounting xxx.xxx.xxx.xxx key simple xxxxxx
user-name-format without-domain
accounting-on enable
#
domain clearpass.radius.tacacs
 authentication login hwtacacs-scheme tacacs local
 authorization login hwtacacs-scheme tacacs local
 accounting login hwtacacs-scheme tacacs local
 authorization command hwtacacs-scheme tacacs local
 accounting command hwtacacs-scheme tacacs
 authentication lan-access radius-scheme clearpass.radius local
 authorization lan-access radius-scheme clearpass.radius local
 accounting lan-access radius-scheme clearpass.radius local
#
domain default enable clearpass.radius.tacacs
#
Example for the interface:
interface GigabitEthernet1/0/5
 port link-type hybrid
 port hybrid vlan 1 untagged
 mac-vlan enable
 stp edged-port
 stp tc-restriction
 lldp admin-status disable
 poe enable
 undo dot1x handshake
 undo dot1x multicast-trigger
 mac-authentication max-user 6
 mac-authentication host-mode multi-vlan
 port-security port-mode userlogin-secure-or-mac-ext

 we have some problems :

1- Clearpass  can't Bounce Switch Port doesn't work with Comware 7 it gives an error:

No response from network device

2- MAC addresses appear on incorrect ports

3- Clearpass doesn't receive  requests from the switch when I deb the log I see only this error:

Dropped received EAP packet: The packet's Vlan isn't allowed in the port.

do we miss something in the Comware 7 switch ???

Thank you

Hi, MohammadH

This is my config for Commware.

For interfaces:

 port link-type hybrid
 port hybrid vlan 1 untagged
 mac-vlan enable
 stp edged-port
 poe enable
 undo dot1x handshake
 dot1x max-user 4
 undo dot1x multicast-trigger
 dot1x after-mac-auth max-attempt 1
 mac-authentication max-user 4
 mac-authentication host-mode multi-vlan
 port-security max-mac-count 4
 port-security port-mode userlogin-secure-or-mac-ext
 dhcp snooping binding record

Radius Scheme:

 primary authentication x.x.x.x
 primary accounting x.x.x.x
 accounting-on enable
 key authentication cipher xx
 key accounting cipher xx
 user-name-format without-domain
 nas-ip interface LoopBack0

For Bounce Switch Port:

radius dynamic-author server
client ip x.x.x.x key simple xxxxxx
quit

General config:

dhcp snooping enable

dhcp snooping client-detect

 dot1x authentication-method eap
 dot1x quiet-period
 dot1x retry 3
 dot1x timer quiet-period 30
 dot1x timer handshake-period 30
 dot1x access-user log enable abnormal-logoff failed-login normal-logoff successful-login

#
 mac-authentication domain xxxxx
 mac-authentication user-name-format mac-address with-hyphen uppercase   ###---> for MAC addresses appear on incorrect ports####
#
 port-security enable
 port-security mac-move permit
 port-security access-user log enable failed-authorization mac-learning violation vlan-mac-limit
#

Also, vendor for Commware is: H3C

Original Message:
Sent: Apr 25, 2024 03:12 AM
From: MohammadH
Subject: Help 802.1x activation on HP Comware 7 switch with clearpass... ??

Hello,

we trying to configure the 802.1x activation on the HP Comware 7 switch with Clearpass 6.12.1 the Switch configuration is:

Switch Comware 7:
#
port-security enable
port-security mac-move permit
dot1x authentication-method eap
mac-authentication domain clearpass.radius.tacacs
#
radius scheme Clearpass.radius
primary authentication xxx.xxx.xxx.xxx key simple xxxxxx
primary accounting xxx.xxx.xxx.xxx key simple xxxxxx
user-name-format without-domain
accounting-on enable
#
domain clearpass.radius.tacacs
 authentication login hwtacacs-scheme tacacs local
 authorization login hwtacacs-scheme tacacs local
 accounting login hwtacacs-scheme tacacs local
 authorization command hwtacacs-scheme tacacs local
 accounting command hwtacacs-scheme tacacs
 authentication lan-access radius-scheme clearpass.radius local
 authorization lan-access radius-scheme clearpass.radius local
 accounting lan-access radius-scheme clearpass.radius local
#
domain default enable clearpass.radius.tacacs
#
Example for the interface:
interface GigabitEthernet1/0/5
 port link-type hybrid
 port hybrid vlan 1 untagged
 mac-vlan enable
 stp edged-port
 stp tc-restriction
 lldp admin-status disable
 poe enable
 undo dot1x handshake
 undo dot1x multicast-trigger
 mac-authentication max-user 6
 mac-authentication host-mode multi-vlan
 port-security port-mode userlogin-secure-or-mac-ext

 we have some problems :

1- Clearpass  can't Bounce Switch Port doesn't work with Comware 7 it gives an error:

No response from network device

2- MAC addresses appear on incorrect ports

3- Clearpass doesn't receive  requests from the switch when I deb the log I see only this error:

Dropped received EAP packet: The packet's Vlan isn't allowed in the port.

do we miss something in the Comware 7 switch ???

Thank you

Hello FF96,

Thank you for sharing i will test it this week, I forgot to mention we have IP Phone to connect to PC

 I have a question about some commands:

about DHCP snooping  I only need it if the DHCP is enabled in the switch correct?

can you explain dot1x how works or for what you use it?

• dot1x quiet-period
• dot1x retry 3
• dot1x timer quiet-period 30
• dot1x timer handshake-period 30

For interfaces do I need this command?

• dot1x max-user 6 // What is the default ? 
• dot1x after mac-auth max-attempt 1 // this after mac-auth success the switch will try  dot1x again correct ?
• port-security max-mac-count 4  //When will we use it ??
• dhcp snooping binding record //  what is do exactly ?

Thank you

Original Message:
Sent: Apr 26, 2024 07:26 AM
From: FF96
Subject: Help 802.1x activation on HP Comware 7 switch with clearpass... ??

Hi, MohammadH

This is my config for Commware.

For interfaces:

 port link-type hybrid
 port hybrid vlan 1 untagged
 mac-vlan enable
 stp edged-port
 poe enable
 undo dot1x handshake
 dot1x max-user 4
 undo dot1x multicast-trigger
 dot1x after-mac-auth max-attempt 1
 mac-authentication max-user 4
 mac-authentication host-mode multi-vlan
 port-security max-mac-count 4
 port-security port-mode userlogin-secure-or-mac-ext
 dhcp snooping binding record

Radius Scheme:

 primary authentication x.x.x.x
 primary accounting x.x.x.x
 accounting-on enable
 key authentication cipher xx
 key accounting cipher xx
 user-name-format without-domain
 nas-ip interface LoopBack0

For Bounce Switch Port:

radius dynamic-author server
client ip x.x.x.x key simple xxxxxx
quit

General config:

dhcp snooping enable

dhcp snooping client-detect

 dot1x authentication-method eap
 dot1x quiet-period
 dot1x retry 3
 dot1x timer quiet-period 30
 dot1x timer handshake-period 30
 dot1x access-user log enable abnormal-logoff failed-login normal-logoff successful-login

#
 mac-authentication domain xxxxx
 mac-authentication user-name-format mac-address with-hyphen uppercase   ###---> for MAC addresses appear on incorrect ports####
#
 port-security enable
 port-security mac-move permit
 port-security access-user log enable failed-authorization mac-learning violation vlan-mac-limit
#

Also, vendor for Commware is: H3C

Original Message:
Sent: Apr 25, 2024 03:12 AM
From: MohammadH
Subject: Help 802.1x activation on HP Comware 7 switch with clearpass... ??

Hello,

we trying to configure the 802.1x activation on the HP Comware 7 switch with Clearpass 6.12.1 the Switch configuration is:

Switch Comware 7:
#
port-security enable
port-security mac-move permit
dot1x authentication-method eap
mac-authentication domain clearpass.radius.tacacs
#
radius scheme Clearpass.radius
primary authentication xxx.xxx.xxx.xxx key simple xxxxxx
primary accounting xxx.xxx.xxx.xxx key simple xxxxxx
user-name-format without-domain
accounting-on enable
#
domain clearpass.radius.tacacs
 authentication login hwtacacs-scheme tacacs local
 authorization login hwtacacs-scheme tacacs local
 accounting login hwtacacs-scheme tacacs local
 authorization command hwtacacs-scheme tacacs local
 accounting command hwtacacs-scheme tacacs
 authentication lan-access radius-scheme clearpass.radius local
 authorization lan-access radius-scheme clearpass.radius local
 accounting lan-access radius-scheme clearpass.radius local
#
domain default enable clearpass.radius.tacacs
#
Example for the interface:
interface GigabitEthernet1/0/5
 port link-type hybrid
 port hybrid vlan 1 untagged
 mac-vlan enable
 stp edged-port
 stp tc-restriction
 lldp admin-status disable
 poe enable
 undo dot1x handshake
 undo dot1x multicast-trigger
 mac-authentication max-user 6
 mac-authentication host-mode multi-vlan
 port-security port-mode userlogin-secure-or-mac-ext

 we have some problems :

1- Clearpass  can't Bounce Switch Port doesn't work with Comware 7 it gives an error:

No response from network device

2- MAC addresses appear on incorrect ports

3- Clearpass doesn't receive  requests from the switch when I deb the log I see only this error:

Dropped received EAP packet: The packet's Vlan isn't allowed in the port.

do we miss something in the Comware 7 switch ???

Thank you