Original Message:
Sent: May 08, 2024 02:38 AM
From: GorazdKikelj
Subject: Help 802.1x activation on HP Comware 7 switch with clearpass... ??
Hi Mohammad.
Did you select vendor as H3C in device definition as @FF96 was mentioned?
Best, Gorazd
------------------------------
Gorazd Kikelj
MVP Guru 2024
Original Message:
Sent: May 07, 2024 03:49 AM
From: MohammadH
Subject: Help 802.1x activation on HP Comware 7 switch with clearpass... ??
Hello,
The problem with MAC addresses appearing on incorrect ports still occurring after i use the
mac-authentication user-name-format mac-address with-hyphen uppercase ###---> for MAC addresses appear on incorrect ports####
any another way to fix it ??
Thank you
Original Message:
Sent: Apr 29, 2024 06:53 AM
From: FF96
Subject: Help 802.1x activation on HP Comware 7 switch with clearpass... ??
Hi,
All related explanations you can find in the user manual - https://networkingsupport.hpe.com/
"For interfaces do I need this command?"
Depends on how you set up your infrastructure
Best Regards.
Original Message:
Sent: Apr 28, 2024 03:32 AM
From: MohammadH
Subject: Help 802.1x activation on HP Comware 7 switch with clearpass... ??
Hello FF96,
Thank you for sharing i will test it this week, I forgot to mention we have IP Phone to connect to PC
I have a question about some commands:
about DHCP snooping I only need it if the DHCP is enabled in the switch correct?
can you explain dot1x how works or for what you use it?
- dot1x quiet-period
- dot1x retry 3
- dot1x timer quiet-period 30
- dot1x timer handshake-period 30
For interfaces do I need this command?
- dot1x max-user 6 // What is the default ?
- dot1x after mac-auth max-attempt 1 // this after mac-auth success the switch will try dot1x again correct ?
- port-security max-mac-count 4 //When will we use it ??
- dhcp snooping binding record // what is do exactly ?
Thank you
Original Message:
Sent: Apr 26, 2024 07:26 AM
From: FF96
Subject: Help 802.1x activation on HP Comware 7 switch with clearpass... ??
Hi, MohammadH
This is my config for Commware.
For interfaces:
port link-type hybrid
port hybrid vlan 1 untagged
mac-vlan enable
stp edged-port
poe enable
undo dot1x handshake
dot1x max-user 4
undo dot1x multicast-trigger
dot1x after-mac-auth max-attempt 1
mac-authentication max-user 4
mac-authentication host-mode multi-vlan
port-security max-mac-count 4
port-security port-mode userlogin-secure-or-mac-ext
dhcp snooping binding record
Radius Scheme:
primary authentication x.x.x.x
primary accounting x.x.x.x
accounting-on enable
key authentication cipher xx
key accounting cipher xx
user-name-format without-domain
nas-ip interface LoopBack0
For Bounce Switch Port:
radius dynamic-author server
client ip x.x.x.x key simple xxxxxx
quit
General config:
dhcp snooping enable
dhcp snooping client-detect
dot1x authentication-method eap
dot1x quiet-period
dot1x retry 3
dot1x timer quiet-period 30
dot1x timer handshake-period 30
dot1x access-user log enable abnormal-logoff failed-login normal-logoff successful-login
#
mac-authentication domain xxxxx
mac-authentication user-name-format mac-address with-hyphen uppercase ###---> for MAC addresses appear on incorrect ports####
#
port-security enable
port-security mac-move permit
port-security access-user log enable failed-authorization mac-learning violation vlan-mac-limit
#
Also, vendor for Commware is: H3C
Original Message:
Sent: Apr 25, 2024 03:12 AM
From: MohammadH
Subject: Help 802.1x activation on HP Comware 7 switch with clearpass... ??
Hello,
we trying to configure the 802.1x activation on the HP Comware 7 switch with Clearpass 6.12.1 the Switch configuration is:
Switch Comware 7:
#
port-security enable
port-security mac-move permit
dot1x authentication-method eap
mac-authentication domain clearpass.radius.tacacs
#
radius scheme Clearpass.radius
primary authentication xxx.xxx.xxx.xxx key simple xxxxxx
primary accounting xxx.xxx.xxx.xxx key simple xxxxxx
user-name-format without-domain
accounting-on enable
#
domain clearpass.radius.tacacs
authentication login hwtacacs-scheme tacacs local
authorization login hwtacacs-scheme tacacs local
accounting login hwtacacs-scheme tacacs local
authorization command hwtacacs-scheme tacacs local
accounting command hwtacacs-scheme tacacs
authentication lan-access radius-scheme clearpass.radius local
authorization lan-access radius-scheme clearpass.radius local
accounting lan-access radius-scheme clearpass.radius local
#
domain default enable clearpass.radius.tacacs
#
Example for the interface:
interface GigabitEthernet1/0/5
port link-type hybrid
port hybrid vlan 1 untagged
mac-vlan enable
stp edged-port
stp tc-restriction
lldp admin-status disable
poe enable
undo dot1x handshake
undo dot1x multicast-trigger
mac-authentication max-user 6
mac-authentication host-mode multi-vlan
port-security port-mode userlogin-secure-or-mac-ext
we have some problems :
1- Clearpass can't Bounce Switch Port doesn't work with Comware 7 it gives an error:
No response from network device
2- MAC addresses appear on incorrect ports
3- Clearpass doesn't receive requests from the switch when I deb the log I see only this error:
Dropped received EAP packet: The packet's Vlan isn't allowed in the port.
do we miss something in the Comware 7 switch ???
Thank you