802.1x authentication - HP Procurve network

[pantscat]

I would like to setup 802.1x authentication for my wired HP Procurve network (I've already got it up and running on my wireless network).

I've got an HP Procurve LAN and use NPS on 2008R2 to do the RADIUS side of things. It uses machine-based AD authentication (e.g. checks that the machine is a member of the domain before authenticating it)

I know how to setup bog-standard 802.1x machine authentication for wired connections but my brain is starting to hurt when I think about these things:

1. How do I deal with non-802.1x compliant devices (such as printers, VoIP phones... etc.)? It would be nice if NPS could do AD-authentication or Mac-address authentication to cater for this. What do other people do?

2. I'm doing a VoIP roll-out over the summer... can I setup my HP network to authenticate two devices on one port? e.g. the VoIP phone would need to be mac-address authenticated, but if a PC is plugged into the onboard switch could that then be authenticated using AD-authentication?

2a. ...and would each device be put into a separate VLAN?

3. FOG server... obviously I'll still need to allow PXE booting for FOG devices. I'm guessing that I could probably do this with an unauthenticated VLAN and put an ACL in place to allow VLAN routing to my FOG server. Has anyone done this?

Thanks in advance to any replies,

Ant

[Geoff]

1. You either whitelist them (in the example of printers), or have them dumped into a seperate VLAN (perhaps the best idea for your VOIP), or isolate them.
2. VoIP phones should be 801.2Q aware. This should solve the issue for you.
3. This is related to 1. If you sort point 1 out then this should fall into place as well.

[DMcCoy]

I would like to setup 802.1x authentication for my wired HP Procurve network (I've already got it up and running on my wireless network).

I've got an HP Procurve LAN and use NPS on 2008R2 to do the RADIUS side of things. It uses machine-based AD authentication (e.g. checks that the machine is a member of the domain before authenticating it)

I know how to setup bog-standard 802.1x machine authentication for wired connections but my brain is starting to hurt when I think about these things:

1. How do I deal with non-802.1x compliant devices (such as printers, VoIP phones... etc.)? It would be nice if NPS could do AD-authentication or Mac-address authentication to cater for this. What do other people do?

2. I'm doing a VoIP roll-out over the summer... can I setup my HP network to authenticate two devices on one port? e.g. the VoIP phone would need to be mac-address authenticated, but if a PC is plugged into the onboard switch could that then be authenticated using AD-authentication?

2a. ...and would each device be put into a separate VLAN?

3. FOG server... obviously I'll still need to allow PXE booting for FOG devices. I'm guessing that I could probably do this with an unauthenticated VLAN and put an ACL in place to allow VLAN routing to my FOG server. Has anyone done this?

Thanks in advance to any replies,

Ant

I did this a few years ago, lets say it's a lot less painful with Vista/7 than XP as the logon process waits for authentication now. I also returned dynamic VLAN for the machine based on AD group

For printers etc I switched the ports to MAC auth, you can do it with NPS, but need to put a registry key back for MD5 auth. The Microsoft Extensible Authentication Protocol-Message Digest 5 (EAP-MD5) implementation is being deprecated from versions of Windows

Use dashed format MAC, create user accounts with the MAC (LOWERCASE!), enable reversable encryption for that user, set password to the MAC. You can change the number of devices allowed on an authenticated port, but this can get a little complicated due to needing the same auth type and vlan (you can only return *one* untagged vlan with the HP/NPS combo).

FOG/Ghost/WDS is a lot easier with 802.1x and unauth vlan as you can put the server in that vlan.

It can be a long process with a lot of testing, but it is worth the effort, machine based dynamic vlans and vlan acls are very useful.

[pantscat]

@DMcCoy Thanks for this - good advice.

How did you do the dynamic VLANs? Was this with NPS?

For the printers do you need to change the config on the switch ports?

Seems that the VoIP side of things might be a tad trickier... I'll have to have a think about that if only one auth type can be used.

Hadn't thought of sticking the FOG server in the unauth VLAN - that's nice and straight-forward.

[DMcCoy]

You can return a vlan to the switch with NPS, I had all 802.1x and MAC auth ports default to untagged in the unauthenticated vlan, the authentication then returned the vlan to the switch on auth (this becomes the untagged vlan, other vlans may not work, even when tagged). It's easier to use computer auth for this, but you can do user based if required (more painful though).

The printer ports were changed to MAC auth on the switch, although some now support 802.1x. For apples, they now have better 802.1x support, but I was using then on MAC based at the time.

I had limited access for unauthenticated machines, access to the DCs for group policy, dns, time and to join the domain.

[pantscat]

How do you configure the switches to get the dynamic VLAN from NPS? That does sound cool!

For the printers did you just have a list of allowed MAC addresses configured on the switch?

[DMcCoy]

On NPS you can return VLAN in the auth reply, for both 802.1x and MAC. This is then used by the switch while the port is authenticated. MAC auth ports for printers just had users created in AD with the right group membership for the device MAC, the switch still sends the request to the radius server, it's why you need to enable md5-chap auth to use it.

[pantscat]

Super - thanks very much.

Play-time now!

[pantscat]

@DMcCoy What ACLs do you use to allow the guest VLAN to access your DCs for Group Policy and to join the domain?

Thanks for your help btw, I've got the dynamic VLANs working beautifully!

[DMcCoy]

@DMcCoy What ACLs do you use to allow the guest VLAN to access your DCs for Group Policy and to join the domain?

Thanks for your help btw, I've got the dynamic VLANs working beautifully!

These are ACLs I was using, two DCs 10.0.7.1 and 10.0.7.2, the guest range was 10.0.8.x. You need the ping response for GPO iirc, I allowed file access so that the GPOs could be downloaded by the joined clients if they failed auth (802.1x policy was defined in it!)
DCs have RPC set to the ranges 49152-50152

ip access-list extended "GuestI"

10 permit udp 10.0.8.0 0.0.0.255 10.0.7.1 0.0.0.0 eq 68
20 permit udp 10.0.8.0 0.0.0.255 10.0.7.1 0.0.0.0 eq 53
30 permit tcp 10.0.8.0 0.0.0.255 10.0.7.1 0.0.0.0 eq 53
40 permit tcp 10.0.8.0 0.0.0.255 10.0.7.1 0.0.0.0 eq 88
50 permit udp 10.0.8.0 0.0.0.255 10.0.7.1 0.0.0.0 eq 88
60 permit tcp 10.0.8.0 0.0.0.255 10.0.7.1 0.0.0.0 eq 123
70 permit tcp 10.0.8.0 0.0.0.255 10.0.7.1 0.0.0.0 range 135 139
80 permit udp 10.0.8.0 0.0.0.255 10.0.7.1 0.0.0.0 range 135 139
90 permit tcp 10.0.8.0 0.0.0.255 10.0.7.1 0.0.0.0 eq 445
100 permit udp 10.0.8.0 0.0.0.255 10.0.7.1 0.0.0.0 eq 445
110 permit udp 10.0.8.0 0.0.0.255 10.0.7.1 0.0.0.0 eq 389
120 permit tcp 10.0.8.0 0.0.0.255 10.0.7.1 0.0.0.0 eq 389
130 permit udp 10.0.8.0 0.0.0.255 10.0.7.1 0.0.0.0 eq 636
140 permit tcp 10.0.8.0 0.0.0.255 10.0.7.1 0.0.0.0 eq 636
150 permit udp 10.0.8.0 0.0.0.255 10.0.7.1 0.0.0.0 eq 464
160 permit tcp 10.0.8.0 0.0.0.255 10.0.7.1 0.0.0.0 eq 1288
170 permit udp 10.0.8.0 0.0.0.255 10.0.7.1 0.0.0.0 eq 1288
180 permit tcp 10.0.8.0 0.0.0.255 10.0.7.1 0.0.0.0 range 49152 50152
190 permit udp 10.0.8.0 0.0.0.255 10.0.7.1 0.0.0.0 range 49152 50152
200 permit icmp 10.0.8.0 0.0.0.255 10.0.7.1 0.0.0.0 8
210 permit icmp 10.0.8.0 0.0.0.255 10.0.7.1 0.0.0.0 0
220 permit udp 10.0.8.0 0.0.0.255 10.0.7.2 0.0.0.0 eq 68
230 permit udp 10.0.8.0 0.0.0.255 10.0.7.2 0.0.0.0 eq 53
240 permit tcp 10.0.8.0 0.0.0.255 10.0.7.2 0.0.0.0 eq 53
250 permit tcp 10.0.8.0 0.0.0.255 10.0.7.2 0.0.0.0 eq 88
260 permit udp 10.0.8.0 0.0.0.255 10.0.7.2 0.0.0.0 eq 88
270 permit tcp 10.0.8.0 0.0.0.255 10.0.7.2 0.0.0.0 eq 123
280 permit tcp 10.0.8.0 0.0.0.255 10.0.7.2 0.0.0.0 range 135 139
290 permit udp 10.0.8.0 0.0.0.255 10.0.7.2 0.0.0.0 range 135 139
300 permit tcp 10.0.8.0 0.0.0.255 10.0.7.2 0.0.0.0 eq 445
310 permit udp 10.0.8.0 0.0.0.255 10.0.7.2 0.0.0.0 eq 445
320 permit udp 10.0.8.0 0.0.0.255 10.0.7.2 0.0.0.0 eq 389
330 permit tcp 10.0.8.0 0.0.0.255 10.0.7.2 0.0.0.0 eq 389
340 permit udp 10.0.8.0 0.0.0.255 10.0.7.2 0.0.0.0 eq 636
350 permit tcp 10.0.8.0 0.0.0.255 10.0.7.2 0.0.0.0 eq 636
360 permit udp 10.0.8.0 0.0.0.255 10.0.7.2 0.0.0.0 eq 464
370 permit tcp 10.0.8.0 0.0.0.255 10.0.7.2 0.0.0.0 eq 1288
380 permit udp 10.0.8.0 0.0.0.255 10.0.7.2 0.0.0.0 eq 1288
390 permit tcp 10.0.8.0 0.0.0.255 10.0.7.2 0.0.0.0 range 49152 50152
400 permit udp 10.0.8.0 0.0.0.255 10.0.7.2 0.0.0.0 range 49152 50152
410 permit icmp 10.0.8.0 0.0.0.255 10.0.7.2 0.0.0.0 8
420 permit icmp 10.0.8.0 0.0.0.255 10.0.7.2 0.0.0.0 0
430 deny ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 log
exit

[pantscat]

Wow... that's very cool.

Thanks very much indeed. I owe you one.

[chazzy2501]

I'd love to do what you guys are doing, I'm running a flat network with no additional security. Could you recomend some lab documents for me to get started on. Could I use 802.1x without VLANs just to keep rouge devices from my network? And with wireless... I have basic VLAN knowledge but haven't really understood the routing aspect yet alought I do have L3 switches at the root of my network. (just don't want to test on my real network yet.)

oh and what is NPS?

[pantscat]

NPS is Network Policy Server (See here: Network Policy Server)

I can't remember what I read that made me think all of this was a good idea (and it is, although I'm only really getting around to properly implementing it now.) - but this (Security Solutions: 802.1X And Guest VLANs - HP ProCurve Networking) looks like a good place to start.