Mac Based Vlan Assignment Hp Games

On By In 1

Hi,

 

We are using MAC-based RADIUS authentication to set ports in the correct VLAN for our different clients. I wrongly assumed I could use the same code I used on our 5120's on the new 5130 switch.

I get a successful authentication, but the port does not set up the assigned VLAN, and display mac-authentication indicates it is continuously reauthenticating. Authentication is successful according to logs on my RADIUS server though, so I am uncertain what is wrong.

 

Here is config from 5130, my original config from the 5120 is below. I am hoping someone can show me a working config, or otherwise point me to were I went wrong in my config.

 

radius scheme system
 primary authentication 1.2.3.4 key cipher xxxxxxx
 secondary authentication 5.6.7.8 key cipher xxxxxxxx

 key authentication cipher xxxxxx
 user-name-format without-domain
 nas-ip 10.10.10.11
#
domain system
 authentication lan-access radius-scheme system
 authorization lan-access radius-scheme system
#
 domain default enable system

interface GigabitEthernet2/0/17
 description Test-port for vlan240 windows machine
 port link-type hybrid
 undo port hybrid vlan 1
 port hybrid vlan 230 untagged
 port hybrid pvid vlan 230
 mac-vlan enable
 broadcast-suppression pps 3000
 multicast-suppression pps 3000
 stp edged-port
 lldp admin-status disable
 qos trust dscp
 mac-authentication
 mac-authentication guest-vlan 232
#

 

[5130-GigabitEthernet2/0/17]dis mac-authentication  int g 2/0/17
Global MAC authentication parameters:
   MAC authentication     : Enabled
   User name format       : MAC address in lowercase(xx-xx-xx-xx-xx-xx)
           Username       : mac
           Password       : Not configured
   Offline detect period  : 300 s
   Quiet period           : 60 s
   Server timeout         : 100 s
   Authentication domain  : system
 Max MAC-auth users       : 4294967295 per slot
 Online MAC-auth users    : 0

 Silent MAC users:
          MAC address       VLAN ID  From port               Port index

 GigabitEthernet2/0/17  is link-up
   MAC authentication         : Enabled
   Authentication domain      : Not configured
   Auth-delay timer           : Disabled
   Re-auth server-unreachable : Logoff
   Guest VLAN                 : 232
   Critical VLAN              : Not configured
   Host mode                  : Single VLAN
   Max online users           : 4294967295
   Authentication attempts    : successful 19, failed 0
   Current online users       : 0
          MAC address       Auth state
[5130-GigabitEthernet2/0/17]dis mac-au

 

 

The corresponding working config from a 5120 looks like this: ( There are some small differences, but I am deeming them extremely unlikely to have the effect I am seeing. )

 

radius scheme system
 primary authentication 1.2.3.4 key cipher xxxxxxx
 primary accounting 127.0.0.1 1646
 secondary authentication 5.6.7.8 key cipher xxxxxxxx
 key authentication cipher xxxxxx
 user-name-format without-domain
 nas-ip 10.11.12.13
#
domain system
 authentication lan-access radius-scheme system
 authorization lan-access radius-scheme system
 access-limit disable
 state active
 idle-cut disable
 self-service-url disable
#

 

 

#
interface GigabitEthernet1/0/15
 port link-type hybrid
 port hybrid vlan 1 untagged
 mac-vlan enable
 broadcast-suppression pps 3000
 multicast-suppression pps 3000
 undo jumboframe enable
 stp edged-port enable
 mac-authentication
 mac-authentication guest-vlan 1234
 lldp admin-status disable
 qos trust dscp
#

 

<5120_A2>dis mac-authentication
MAC address authentication is enabled.
 User name format is MAC address in lowercase,like xx-xx-xx-xx-xx-xx
 Fixed username:mac
 Fixed password:not configured
         Offline detect period is 300s
         Quiet period is 60s
         Server response timeout value is 100s
         The max allowed user number is 1024 per slot
         Current user number amounts to 19
         Current domain is system

Silent MAC User info:
         MAC Addr         From Port                    Port Index

GigabitEthernet1/0/26 is link-up
  MAC address authentication is enabled
  Authenticate success: 2, failed: 0
  Max number of on-line users is 256
  Current online user number is 1
         MAC Addr         Authenticate State           Auth Index
         abcd-abcd-abcd   MAC_AUTHENTICATOR_SUCCESS     4
GigabitEthernet1/0/27 is link-down

  • 9th August 2007, 01:43 PM#1


    MAC Based vlan allocation with procurve switches (11x)

    Well I have some HP Procurves, 2626s mainly. I also have 2 cisco 2948Gs.

    With the ciscos I setup a tftp server, created a vlan mac pairing file, set one of the switches to read the file and be a server for VMPS. Set both ciscos to be clients of the server cisco, set the ports I wanted to by dynamic and quite disturbingly it all worked. I connect and client with a known MAC and it gets the correct vlan... happy me

    So I now move on to the procurves (I did these second for a reason!)

    I know they can do mac-based authenication against a RADIUS server and a RADIUS server can return the vlan the client should have. I know this CAN be done, but I haven't the foggest how!

    I have the a procurve set with one port to use mac-based port-access. I have the radius set with the correct IP and secret key for a newly created IAS RADIUS server on one of my domain controllers. When I also set an auth-vlan and an unauth-vlan I can get the switch to fail to auth and dump the client on to the unauth-vlan. What I cannot do is get the procurve to successfully auth against the RADIUS server (nothing shows in IAS logs, it hasn't even created any!)

    So what I am looking for (cause I think I have the procurve setup rightish) is how to configure an IAS RADIUS server to work with my procurves.

    Oh yes, I have a user in the AD with the username and password set to the mac (no formatting and procurve is set to send a no formatted mac) password is reverseable and dialup set to allow.

    Anyway... please help, I have been able to find a complete guide on the net and have only pickup up snippets here and there.

    Oh yeah, after I get auth working, I still have no clue how to get the RADIUS server to respond with the right vlan...

    Thanks in advance!
  • 9th August 2007, 01:45 PM#2


  • 9th August 2007, 02:17 PM#3


    Re: MAC Based vlan allocation with procurve switches (11x)

    Okay, so I've found out how to get IAS to send the vlan ID back to the procurve, now if I could just get them to talk to eachother in the first place!

  • 9th August 2007, 02:23 PM#4


  • 9th August 2007, 02:24 PM#5


  • 9th August 2007, 02:27 PM#6


  • 9th August 2007, 03:14 PM#7


    Re: MAC Based vlan allocation with procurve switches (11x)

    nm, I found it. Cause mac-based only use CHAP you have to untick Client must always send the sigature attribute

  • 10th August 2007, 10:12 AM#8


  • 10th August 2007, 11:17 AM#9


  • 4th October 2007, 02:32 PM#10


  • 4th October 2007, 02:50 PM#11


  • 5th October 2007, 08:08 AM#12


  • 5th October 2007, 10:07 AM#13


  • 21st September 2008, 03:04 AM#14


    Rep Power
    0

    Hi All,

    I want to do Mac address authentication for some printers and few other devices on Procurve 2600 switch, with Radius IAS. I have a couple of questions and will really appreciate guidance on this.

    1. I understand that I need to create a separate group in AD to include the mac authentication user accounts with accounts having username and password to be same and clear password complexity unders ecurity policy for this so that I will be allowed to have password to be same as username. Can this security policy relaxation for password be only applied to this mac authentication group?

    2. When the switch will forward the username and password to be the mac address to the IAS and IAS will then relay it to AD for validation, AD will expect supply of a domain name as well. How does the domain name gets appended to the mac authentication credentials sent by switch to the IAS?

    3. Since I am not doing mac authentication for user window machines, I believe the accounts do not need to be stored with reversible MD5 encryption. Please clarify this as well.

    Thanks a lot.


  • 21st September 2008, 01:20 PM#15


  • 0 comments

    Leave a Reply

    Your email address will not be published. Required fields are marked *