+ Post New Thread
Page 2 of 2 FirstFirst 12
Results 16 to 26 of 26
Wireless Networks Thread, MAC Based vlan allocation with procurve switches (11x) in Technical; IAS matches DOMAIN\macaddress, the switch just sends the MAC as username and password and IAS does the rest. For 3, ...
  1. #16
    DMcCoy's Avatar
    Join Date
    Oct 2005
    Location
    Isle of Wight
    Posts
    3,464
    Thank Post
    10
    Thanked 496 Times in 436 Posts
    Rep Power
    113
    IAS matches DOMAIN\macaddress, the switch just sends the MAC as username and password and IAS does the rest.

    For 3, if the machines are not going to have their ports authenticated then you won't need to do anything, or enable reversable encryption for them.

  2. #17

    Join Date
    Sep 2008
    Location
    Canada
    Posts
    7
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Really appreciate your support and prompt response.

    1. Too bad that Windows 2003 server will not allow this and then the only option is to either disable the password complexity globally or to forget about radius based mac authentication and then simply user port security commands to add these mac addresses to respective switch port. The only problem then is that we can not move these devices to other than assigned ports. The other solution that can be explored is to use a second radius server ( Linux FreeRADIUS) that will have these mac address accounts created and service these devices, but I have to figure out if Procurve switch will allow to take two RADIUS servers for the purpose of authenticating requests coming in from two separate set of ports. I know we can specify even 4 radius servers, but they are all for failover.

    2. So you mean, AD will authenticate a user ( a printer in this case with its mac address being passed on to IAS by switch as both username and password) even if it presents only username / password and no domain name?

    3. I think I could not explain this better. I meant to ask if mac address accounts that I will create in AD, will these be required to be stored as hashed MD5 as there is an option to check or uncheck this on user accounts while creating passwords.

    Please advise.

    Thanks again.

  3. #18

    localzuk's Avatar
    Join Date
    Dec 2006
    Location
    Minehead
    Posts
    17,836
    Thank Post
    517
    Thanked 2,478 Times in 1,921 Posts
    Blog Entries
    24
    Rep Power
    837
    Quote Originally Posted by dpsguard View Post
    Really appreciate your support and prompt response.

    1. Too bad that Windows 2003 server will not allow this and then the only option is to either disable the password complexity globally or to forget about radius based mac authentication and then simply user port security commands to add these mac addresses to respective switch port. The only problem then is that we can not move these devices to other than assigned ports. The other solution that can be explored is to use a second radius server ( Linux FreeRADIUS) that will have these mac address accounts created and service these devices, but I have to figure out if Procurve switch will allow to take two RADIUS servers for the purpose of authenticating requests coming in from two separate set of ports. I know we can specify even 4 radius servers, but they are all for failover.
    What about having a seperate domain for the Mac authentication - there's nothing saying it has to be a part of your existing domain. If you did this, you could have a different security policy.

    2. So you mean, AD will authenticate a user ( a printer in this case with its mac address being passed on to IAS by switch as both username and password) even if it presents only username / password and no domain name?
    From what DMcCoy seems to say, it appears to use the domain name of the IAS machine as the domain of the devices. Which would make sense.

    3. I think I could not explain this better. I meant to ask if mac address accounts that I will create in AD, will these be required to be stored as hashed MD5 as there is an option to check or uncheck this on user accounts while creating passwords.
    Yes, they need reversible authentication on the MAC address accounts for all devices that will authenticate via IAS.

  4. #19

    Join Date
    Sep 2008
    Location
    Canada
    Posts
    7
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Thanks DMcCoy. I just read your reply after I wrote this. I understand now that IAS append the domain name (being enrolled on domain) while forwarding username / password as AD will definately like to see domain name coming in else it will simply reject it.

    I am still not clear about my question #3. I believe this is only required if MD5 option is selected under 802.1x instead of PEAP option as in case of MD5 802.1x, the comparison has to be made between one way hashed password. But in my case, I am not using 802.1x anyway for mac authentication.

    Appreciate again and look forward to more feedback on this.

  5. #20

    Join Date
    Sep 2008
    Location
    Canada
    Posts
    7
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Thanks Localzuk. It is making sense to me. I am a network guy and not windows admin, so I have very limited knowledge on window NOS side.

    I believe on an existing W2k3 domain controller, we can certainly add another domain for mac address users ( and have two way trust between these two domains), but then how does the IAS talk to two domains on the DC? IAS will be enrolled / registered with only main domain and thus forward requests only to main domain. I guess then DC has to somehow pass on the credentials to the second domain database, but then it will fail as seocnd domain database will see domain name appended to credentials being the main domain name.

    Just as a curiosity, is there a way to add local user accounts (in this case mac accounts) to switch and then use local authentication?

    Please advise.

    Thanks

  6. #21
    DMcCoy's Avatar
    Join Date
    Oct 2005
    Location
    Isle of Wight
    Posts
    3,464
    Thank Post
    10
    Thanked 496 Times in 436 Posts
    Rep Power
    113
    The HPs can use local authentication I believe, although I have never configured it.

    All IAS needs is a group or user that matches one of it's policies. You could have a domain just for MAC based auth with the only users being those that are needed for the MAC based authentication. IAS does not need to be on the same domain as anything else if you don't want it to. All that it needs is to be connected to the domain that holds the MAC user accounts.

    You can turn on reversible encryption for just those accounts, its on the account options page, the users don't even need to be members of the domain users group, just the group that matches the IAS policy.

    You don't need a trust between the domain either if IAS is a member of a seperate one for the authentication.

    For something like 802.1x with windows machine accounts, then you also don't need reversible encryption for the machine or user accounts, it's only needed for the MAC port authentication.

  7. #22

    localzuk's Avatar
    Join Date
    Dec 2006
    Location
    Minehead
    Posts
    17,836
    Thank Post
    517
    Thanked 2,478 Times in 1,921 Posts
    Blog Entries
    24
    Rep Power
    837
    Quote Originally Posted by dpsguard View Post
    Thanks Localzuk. It is making sense to me. I am a network guy and not windows admin, so I have very limited knowledge on window NOS side.

    I believe on an existing W2k3 domain controller, we can certainly add another domain for mac address users ( and have two way trust between these two domains), but then how does the IAS talk to two domains on the DC? IAS will be enrolled / registered with only main domain and thus forward requests only to main domain. I guess then DC has to somehow pass on the credentials to the second domain database, but then it will fail as seocnd domain database will see domain name appended to credentials being the main domain name.
    Why would your IAS box be linked to the main domain? Is it doing something else also?

    Just as a curiosity, is there a way to add local user accounts (in this case mac accounts) to switch and then use local authentication?
    I don't know, i've never really looked at it, as it would be unsustainable with anything more than a couple of switches and a couple of computers.

  8. #23
    DMcCoy's Avatar
    Join Date
    Oct 2005
    Location
    Isle of Wight
    Posts
    3,464
    Thank Post
    10
    Thanked 496 Times in 436 Posts
    Rep Power
    113
    Quote Originally Posted by localzuk View Post
    Why would your IAS box be linked to the main domain? Is it doing something else also?
    Mine is due to 802.1x/Wifi using machine/normal user accounts.

  9. #24

    Join Date
    Sep 2008
    Location
    Canada
    Posts
    7
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Yes, I will also need to use the same IAS Radius for 802.1x for users and mac authen for printers and other machines which are not capable of running 802.1x. The users will then be in main domain and mac authen devices will be another domain. So IAS will need to talk to two domains, unless there is a way to not disable password complexity policy on AD globally.

    That is why I was considering two more options, one having port security ( have only 4 edge switches and there can be ports set aside on each for printers etc that are mobile and add limited such printers be addded to all such edge switches) and the second one to simply have a FreeRadius based Radius only for mac authentication with such devices put into a separate VLAN / set of ports, but need to figure out how these ports will use only FreeRadius and not be directed to IAS.

    Thanks

  10. #25

    Join Date
    Sep 2008
    Location
    Canada
    Posts
    7
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Folks,

    Looks like we have a solution to use two Radius servers, one for 802.1x and second for mac authen.

    The trick will be to configure two Radius servers in switches on two different subnets / VLANs and then on the upstream Distribution / Core L3 switch, add ACL to each VLAN denying access to the other radius server IP address.

    If someone can lab this up, that will be great as it will take me a while to get all this together.

    Thanks

  11. #26

    Join Date
    Sep 2008
    Location
    Canada
    Posts
    7
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    And of course, I will first try to DMcCoy's suggestions and see if only a single IAS can achieve what I need to do.

    This is still under planning stage and we need to buy Procurve even to test it. I expect to test it by middle of October and then report back.

    Thanks both of you for your excellent responses and great knowledge. I have mainly been dealing in Cisco.

SHARE:
+ Post New Thread
Page 2 of 2 FirstFirst 12

Similar Threads

  1. MSI's Randomly not dpolying HP Procurve Switches HELP
    By noah in forum Wireless Networks
    Replies: 2
    Last Post: 12th September 2007, 02:37 PM
  2. Adding vLAN not working on HP Procurve
    By mrforgetful in forum Wireless Networks
    Replies: 21
    Last Post: 2nd March 2007, 11:53 AM
  3. MAC based VLAN
    By NetworkGeezer in forum Wireless Networks
    Replies: 6
    Last Post: 2nd March 2007, 10:12 AM
  4. Anyone using Dell Core switches/edge switches.
    By tosca925 in forum Wireless Networks
    Replies: 13
    Last Post: 6th February 2007, 09:10 AM
  5. HP Procurve switches
    By edie209 in forum Hardware
    Replies: 16
    Last Post: 4th October 2006, 05:58 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •