+ Post New Thread
Results 1 to 13 of 13
Wired Networks Thread, 802.1x authentication - HP Procurve network in Technical; I would like to setup 802.1x authentication for my wired HP Procurve network (I've already got it up and running ...
  1. #1

    Join Date
    Oct 2005
    Posts
    821
    Thank Post
    51
    Thanked 110 Times in 100 Posts
    Rep Power
    63

    802.1x authentication - HP Procurve network

    I would like to setup 802.1x authentication for my wired HP Procurve network (I've already got it up and running on my wireless network).

    I've got an HP Procurve LAN and use NPS on 2008R2 to do the RADIUS side of things. It uses machine-based AD authentication (e.g. checks that the machine is a member of the domain before authenticating it)

    I know how to setup bog-standard 802.1x machine authentication for wired connections but my brain is starting to hurt when I think about these things:

    1. How do I deal with non-802.1x compliant devices (such as printers, VoIP phones... etc.)? It would be nice if NPS could do AD-authentication or Mac-address authentication to cater for this. What do other people do?

    2. I'm doing a VoIP roll-out over the summer... can I setup my HP network to authenticate two devices on one port? e.g. the VoIP phone would need to be mac-address authenticated, but if a PC is plugged into the onboard switch could that then be authenticated using AD-authentication?

    2a. ...and would each device be put into a separate VLAN?

    3. FOG server... obviously I'll still need to allow PXE booting for FOG devices. I'm guessing that I could probably do this with an unauthenticated VLAN and put an ACL in place to allow VLAN routing to my FOG server. Has anyone done this?

    Thanks in advance to any replies,

    Ant

  2. #2

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,802
    Thank Post
    110
    Thanked 583 Times in 504 Posts
    Blog Entries
    1
    Rep Power
    224
    1. You either whitelist them (in the example of printers), or have them dumped into a seperate VLAN (perhaps the best idea for your VOIP), or isolate them.
    2. VoIP phones should be 801.2Q aware. This should solve the issue for you.
    3. This is related to 1. If you sort point 1 out then this should fall into place as well.

  3. #3
    DMcCoy's Avatar
    Join Date
    Oct 2005
    Location
    Isle of Wight
    Posts
    3,421
    Thank Post
    10
    Thanked 486 Times in 426 Posts
    Rep Power
    110
    Quote Originally Posted by pantscat View Post
    I would like to setup 802.1x authentication for my wired HP Procurve network (I've already got it up and running on my wireless network).

    I've got an HP Procurve LAN and use NPS on 2008R2 to do the RADIUS side of things. It uses machine-based AD authentication (e.g. checks that the machine is a member of the domain before authenticating it)

    I know how to setup bog-standard 802.1x machine authentication for wired connections but my brain is starting to hurt when I think about these things:

    1. How do I deal with non-802.1x compliant devices (such as printers, VoIP phones... etc.)? It would be nice if NPS could do AD-authentication or Mac-address authentication to cater for this. What do other people do?

    2. I'm doing a VoIP roll-out over the summer... can I setup my HP network to authenticate two devices on one port? e.g. the VoIP phone would need to be mac-address authenticated, but if a PC is plugged into the onboard switch could that then be authenticated using AD-authentication?

    2a. ...and would each device be put into a separate VLAN?

    3. FOG server... obviously I'll still need to allow PXE booting for FOG devices. I'm guessing that I could probably do this with an unauthenticated VLAN and put an ACL in place to allow VLAN routing to my FOG server. Has anyone done this?

    Thanks in advance to any replies,

    Ant
    I did this a few years ago, lets say it's a lot less painful with Vista/7 than XP as the logon process waits for authentication now. I also returned dynamic VLAN for the machine based on AD group

    For printers etc I switched the ports to MAC auth, you can do it with NPS, but need to put a registry key back for MD5 auth. The Microsoft Extensible Authentication Protocol-Message Digest 5 (EAP-MD5) implementation is being deprecated from versions of Windows

    Use dashed format MAC, create user accounts with the MAC (LOWERCASE!), enable reversable encryption for that user, set password to the MAC. You can change the number of devices allowed on an authenticated port, but this can get a little complicated due to needing the same auth type and vlan (you can only return *one* untagged vlan with the HP/NPS combo).

    FOG/Ghost/WDS is a lot easier with 802.1x and unauth vlan as you can put the server in that vlan.

    It can be a long process with a lot of testing, but it is worth the effort, machine based dynamic vlans and vlan acls are very useful.
    Last edited by DMcCoy; 20th April 2012 at 01:08 PM.

  4. Thanks to DMcCoy from:

    pantscat (20th April 2012)

  5. #4

    Join Date
    Oct 2005
    Posts
    821
    Thank Post
    51
    Thanked 110 Times in 100 Posts
    Rep Power
    63
    @DMcCoy Thanks for this - good advice.

    How did you do the dynamic VLANs? Was this with NPS?

    For the printers do you need to change the config on the switch ports?

    Seems that the VoIP side of things might be a tad trickier... I'll have to have a think about that if only one auth type can be used.

    Hadn't thought of sticking the FOG server in the unauth VLAN - that's nice and straight-forward.

  6. #5
    DMcCoy's Avatar
    Join Date
    Oct 2005
    Location
    Isle of Wight
    Posts
    3,421
    Thank Post
    10
    Thanked 486 Times in 426 Posts
    Rep Power
    110
    You can return a vlan to the switch with NPS, I had all 802.1x and MAC auth ports default to untagged in the unauthenticated vlan, the authentication then returned the vlan to the switch on auth (this becomes the untagged vlan, other vlans may not work, even when tagged). It's easier to use computer auth for this, but you can do user based if required (more painful though).

    The printer ports were changed to MAC auth on the switch, although some now support 802.1x. For apples, they now have better 802.1x support, but I was using then on MAC based at the time.

    I had limited access for unauthenticated machines, access to the DCs for group policy, dns, time and to join the domain.

  7. #6

    Join Date
    Oct 2005
    Posts
    821
    Thank Post
    51
    Thanked 110 Times in 100 Posts
    Rep Power
    63
    How do you configure the switches to get the dynamic VLAN from NPS? That does sound cool!

    For the printers did you just have a list of allowed MAC addresses configured on the switch?

  8. #7
    DMcCoy's Avatar
    Join Date
    Oct 2005
    Location
    Isle of Wight
    Posts
    3,421
    Thank Post
    10
    Thanked 486 Times in 426 Posts
    Rep Power
    110
    On NPS you can return VLAN in the auth reply, for both 802.1x and MAC. This is then used by the switch while the port is authenticated. MAC auth ports for printers just had users created in AD with the right group membership for the device MAC, the switch still sends the request to the radius server, it's why you need to enable md5-chap auth to use it.

  9. Thanks to DMcCoy from:

    pantscat (23rd April 2012)

  10. #8

    Join Date
    Oct 2005
    Posts
    821
    Thank Post
    51
    Thanked 110 Times in 100 Posts
    Rep Power
    63
    Super - thanks very much.

    Play-time now!

  11. #9

    Join Date
    Oct 2005
    Posts
    821
    Thank Post
    51
    Thanked 110 Times in 100 Posts
    Rep Power
    63
    @DMcCoy What ACLs do you use to allow the guest VLAN to access your DCs for Group Policy and to join the domain?

    Thanks for your help btw, I've got the dynamic VLANs working beautifully!

  12. #10
    DMcCoy's Avatar
    Join Date
    Oct 2005
    Location
    Isle of Wight
    Posts
    3,421
    Thank Post
    10
    Thanked 486 Times in 426 Posts
    Rep Power
    110
    Quote Originally Posted by pantscat View Post
    @DMcCoy What ACLs do you use to allow the guest VLAN to access your DCs for Group Policy and to join the domain?

    Thanks for your help btw, I've got the dynamic VLANs working beautifully!
    These are ACLs I was using, two DCs 10.0.7.1 and 10.0.7.2, the guest range was 10.0.8.x. You need the ping response for GPO iirc, I allowed file access so that the GPOs could be downloaded by the joined clients if they failed auth (802.1x policy was defined in it!)
    DCs have RPC set to the ranges 49152-50152

    ip access-list extended "GuestI"

    10 permit udp 10.0.8.0 0.0.0.255 10.0.7.1 0.0.0.0 eq 68
    20 permit udp 10.0.8.0 0.0.0.255 10.0.7.1 0.0.0.0 eq 53
    30 permit tcp 10.0.8.0 0.0.0.255 10.0.7.1 0.0.0.0 eq 53
    40 permit tcp 10.0.8.0 0.0.0.255 10.0.7.1 0.0.0.0 eq 88
    50 permit udp 10.0.8.0 0.0.0.255 10.0.7.1 0.0.0.0 eq 88
    60 permit tcp 10.0.8.0 0.0.0.255 10.0.7.1 0.0.0.0 eq 123
    70 permit tcp 10.0.8.0 0.0.0.255 10.0.7.1 0.0.0.0 range 135 139
    80 permit udp 10.0.8.0 0.0.0.255 10.0.7.1 0.0.0.0 range 135 139
    90 permit tcp 10.0.8.0 0.0.0.255 10.0.7.1 0.0.0.0 eq 445
    100 permit udp 10.0.8.0 0.0.0.255 10.0.7.1 0.0.0.0 eq 445
    110 permit udp 10.0.8.0 0.0.0.255 10.0.7.1 0.0.0.0 eq 389
    120 permit tcp 10.0.8.0 0.0.0.255 10.0.7.1 0.0.0.0 eq 389
    130 permit udp 10.0.8.0 0.0.0.255 10.0.7.1 0.0.0.0 eq 636
    140 permit tcp 10.0.8.0 0.0.0.255 10.0.7.1 0.0.0.0 eq 636
    150 permit udp 10.0.8.0 0.0.0.255 10.0.7.1 0.0.0.0 eq 464
    160 permit tcp 10.0.8.0 0.0.0.255 10.0.7.1 0.0.0.0 eq 1288
    170 permit udp 10.0.8.0 0.0.0.255 10.0.7.1 0.0.0.0 eq 1288
    180 permit tcp 10.0.8.0 0.0.0.255 10.0.7.1 0.0.0.0 range 49152 50152
    190 permit udp 10.0.8.0 0.0.0.255 10.0.7.1 0.0.0.0 range 49152 50152
    200 permit icmp 10.0.8.0 0.0.0.255 10.0.7.1 0.0.0.0 8
    210 permit icmp 10.0.8.0 0.0.0.255 10.0.7.1 0.0.0.0 0
    220 permit udp 10.0.8.0 0.0.0.255 10.0.7.2 0.0.0.0 eq 68
    230 permit udp 10.0.8.0 0.0.0.255 10.0.7.2 0.0.0.0 eq 53
    240 permit tcp 10.0.8.0 0.0.0.255 10.0.7.2 0.0.0.0 eq 53
    250 permit tcp 10.0.8.0 0.0.0.255 10.0.7.2 0.0.0.0 eq 88
    260 permit udp 10.0.8.0 0.0.0.255 10.0.7.2 0.0.0.0 eq 88
    270 permit tcp 10.0.8.0 0.0.0.255 10.0.7.2 0.0.0.0 eq 123
    280 permit tcp 10.0.8.0 0.0.0.255 10.0.7.2 0.0.0.0 range 135 139
    290 permit udp 10.0.8.0 0.0.0.255 10.0.7.2 0.0.0.0 range 135 139
    300 permit tcp 10.0.8.0 0.0.0.255 10.0.7.2 0.0.0.0 eq 445
    310 permit udp 10.0.8.0 0.0.0.255 10.0.7.2 0.0.0.0 eq 445
    320 permit udp 10.0.8.0 0.0.0.255 10.0.7.2 0.0.0.0 eq 389
    330 permit tcp 10.0.8.0 0.0.0.255 10.0.7.2 0.0.0.0 eq 389
    340 permit udp 10.0.8.0 0.0.0.255 10.0.7.2 0.0.0.0 eq 636
    350 permit tcp 10.0.8.0 0.0.0.255 10.0.7.2 0.0.0.0 eq 636
    360 permit udp 10.0.8.0 0.0.0.255 10.0.7.2 0.0.0.0 eq 464
    370 permit tcp 10.0.8.0 0.0.0.255 10.0.7.2 0.0.0.0 eq 1288
    380 permit udp 10.0.8.0 0.0.0.255 10.0.7.2 0.0.0.0 eq 1288
    390 permit tcp 10.0.8.0 0.0.0.255 10.0.7.2 0.0.0.0 range 49152 50152
    400 permit udp 10.0.8.0 0.0.0.255 10.0.7.2 0.0.0.0 range 49152 50152
    410 permit icmp 10.0.8.0 0.0.0.255 10.0.7.2 0.0.0.0 8
    420 permit icmp 10.0.8.0 0.0.0.255 10.0.7.2 0.0.0.0 0
    430 deny ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 log
    exit

  13. Thanks to DMcCoy from:

    pantscat (23rd April 2012)

  14. #11

    Join Date
    Oct 2005
    Posts
    821
    Thank Post
    51
    Thanked 110 Times in 100 Posts
    Rep Power
    63
    Wow... that's very cool.

    Thanks very much indeed. I owe you one.

  15. #12
    chazzy2501's Avatar
    Join Date
    Jan 2008
    Location
    South West
    Posts
    1,774
    Thank Post
    213
    Thanked 263 Times in 213 Posts
    Rep Power
    67
    I'd love to do what you guys are doing, I'm running a flat network with no additional security. Could you recomend some lab documents for me to get started on. Could I use 802.1x without VLANs just to keep rouge devices from my network? And with wireless... I have basic VLAN knowledge but haven't really understood the routing aspect yet alought I do have L3 switches at the root of my network. (just don't want to test on my real network yet.)

    oh and what is NPS?

  16. #13

    Join Date
    Oct 2005
    Posts
    821
    Thank Post
    51
    Thanked 110 Times in 100 Posts
    Rep Power
    63
    NPS is Network Policy Server (See here: Network Policy Server)

    I can't remember what I read that made me think all of this was a good idea (and it is, although I'm only really getting around to properly implementing it now.) - but this (Security Solutions: 802.1X And Guest VLANs - HP ProCurve Networking) looks like a good place to start.

  17. Thanks to pantscat from:

    chazzy2501 (17th July 2012)

SHARE:
+ Post New Thread

Similar Threads

  1. Connecting HP iPAQ to wireless NPS PEAP 802.1x SSID
    By FatBoy in forum Netbooks, PDA and Phones
    Replies: 1
    Last Post: 19th October 2010, 02:45 PM
  2. Network Infrastructure Change [HP Procurve]
    By Tunster in forum Wireless Networks
    Replies: 15
    Last Post: 13th July 2010, 11:03 PM
  3. 802.1x-Radius Wireless Authentication
    By jayemm in forum Wireless Networks
    Replies: 5
    Last Post: 22nd September 2009, 10:50 AM
  4. HP Procurve Network Manager Software
    By wellscs in forum Wireless Networks
    Replies: 0
    Last Post: 15th April 2009, 02:37 PM
  5. Wireless 802.1x RADIUS authentication using IAS server
    By spc-rocket in forum Wireless Networks
    Replies: 0
    Last Post: 3rd January 2008, 06:15 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •