+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 26
Wireless Networks Thread, MAC Based vlan allocation with procurve switches (11x) in Technical; Well I have some HP Procurves, 2626s mainly. I also have 2 cisco 2948Gs. With the ciscos I setup a ...
  1. #1
    AlexB's Avatar
    Join Date
    Jul 2006
    Location
    Warwickshire
    Posts
    365
    Thank Post
    36
    Thanked 36 Times in 32 Posts
    Rep Power
    23

    MAC Based vlan allocation with procurve switches (11x)

    Well I have some HP Procurves, 2626s mainly. I also have 2 cisco 2948Gs.

    With the ciscos I setup a tftp server, created a vlan mac pairing file, set one of the switches to read the file and be a server for VMPS. Set both ciscos to be clients of the server cisco, set the ports I wanted to by dynamic and quite disturbingly it all worked. I connect and client with a known MAC and it gets the correct vlan... happy me

    So I now move on to the procurves (I did these second for a reason!)

    I know they can do mac-based authenication against a RADIUS server and a RADIUS server can return the vlan the client should have. I know this CAN be done, but I haven't the foggest how!

    I have the a procurve set with one port to use mac-based port-access. I have the radius set with the correct IP and secret key for a newly created IAS RADIUS server on one of my domain controllers. When I also set an auth-vlan and an unauth-vlan I can get the switch to fail to auth and dump the client on to the unauth-vlan. What I cannot do is get the procurve to successfully auth against the RADIUS server (nothing shows in IAS logs, it hasn't even created any!)

    So what I am looking for (cause I think I have the procurve setup rightish) is how to configure an IAS RADIUS server to work with my procurves.

    Oh yes, I have a user in the AD with the username and password set to the mac (no formatting and procurve is set to send a no formatted mac) password is reverseable and dialup set to allow.

    Anyway... please help, I have been able to find a complete guide on the net and have only pickup up snippets here and there.

    Oh yeah, after I get auth working, I still have no clue how to get the RADIUS server to respond with the right vlan...

    Thanks in advance!

  2. #2
    AlexB's Avatar
    Join Date
    Jul 2006
    Location
    Warwickshire
    Posts
    365
    Thank Post
    36
    Thanked 36 Times in 32 Posts
    Rep Power
    23

    Re: MAC Based vlan allocation with procurve switches (11x)

    Oh yeah, looking at you DMcCoy, you seem like you might know

  3. #3
    AlexB's Avatar
    Join Date
    Jul 2006
    Location
    Warwickshire
    Posts
    365
    Thank Post
    36
    Thanked 36 Times in 32 Posts
    Rep Power
    23

    Re: MAC Based vlan allocation with procurve switches (11x)

    Okay, so I've found out how to get IAS to send the vlan ID back to the procurve, now if I could just get them to talk to eachother in the first place!

  4. #4
    DMcCoy's Avatar
    Join Date
    Oct 2005
    Location
    Isle of Wight
    Posts
    3,456
    Thank Post
    10
    Thanked 494 Times in 434 Posts
    Rep Power
    113

    Re: MAC Based vlan allocation with procurve switches (11x)

    I did the mac-based authentication for our Apple machines. You are most of the way there. The vlan can be returned by IAS from the policy, the policy can be matched by adding the machine users to a group.

    1) The switch must exist as a client on IAS
    2) The switches default_vlan (which ever one you set) needs to be able to see the IAS server.
    3) You need to set an access policy

    Note, you have to enable reversible encryption *then* set the password.

    1) Create a RADIUS client in IAS. You need to give it a name, enter the IP of the switch and set a key for the switch to authenticate with. You can't tick the message authenticator box with mac based auth, you can for 802.1x

    2) assuming your switch has an ip that can see the IAS server.

    Here is a relevant bit of my config

    aaa authentication port-access eap-radius
    radius-server host 10.0.0.100 key keygoeshere
    aaa port-access mac-based 1-23
    aaa port-access mac-based 1 unauth-vid 80
    aaa port-access mac-based 2 unauth-vid 80
    aaa port-access mac-based 3 unauth-vid 80
    aaa port-access mac-based 4 unauth-vid 80
    aaa port-access mac-based 5 unauth-vid 80
    aaa port-access mac-based 6 unauth-vid 80
    aaa port-access mac-based 7 unauth-vid 80
    aaa port-access mac-based 8 unauth-vid 80
    aaa port-access mac-based 9 unauth-vid 80
    aaa port-access mac-based 10 unauth-vid 80
    aaa port-access mac-based 11 unauth-vid 80
    aaa port-access mac-based 12 unauth-vid 80
    aaa port-access mac-based 13 unauth-vid 80
    aaa port-access mac-based 14 unauth-vid 80
    aaa port-access mac-based 15 unauth-vid 80
    aaa port-access mac-based 16 unauth-vid 80
    aaa port-access mac-based 17 unauth-vid 80
    aaa port-access mac-based 18 unauth-vid 80
    aaa port-access mac-based 19 unauth-vid 80
    aaa port-access mac-based 20 unauth-vid 80
    aaa port-access mac-based 21 unauth-vid 80
    aaa port-access mac-based 22 unauth-vid 80
    aaa port-access mac-based 23 unauth-vid 80
    aaa port-access mac-based addr-format multi-dash



    This should start getting messages on the IAS server.

    3) Create a remote access policy in IAS

    I'll attach some screen shots in a minute

  5. #5

    Join Date
    Oct 2005
    Location
    East Midlands
    Posts
    738
    Thank Post
    17
    Thanked 105 Times in 65 Posts
    Rep Power
    37

    Re: MAC Based vlan allocation with procurve switches (11x)

    Hi Alex,

    In order for the radius server to send the vlan id, configure the following options:

    Tunnel-Type = VLAN,
    Tunnel-Medium-Type = IEEE-802,
    Tunnel-Private-Group-Id = the VLAN ID or name i.e. 20 or Server-VLAN

    In order to the switches to talk to one another you need to configure trunk links with 802.1q encapsulation.

    HTH,

    Ash.

  6. #6
    DMcCoy's Avatar
    Join Date
    Oct 2005
    Location
    Isle of Wight
    Posts
    3,456
    Thank Post
    10
    Thanked 494 Times in 434 Posts
    Rep Power
    113

    Re: MAC Based vlan allocation with procurve switches (11x)

    The policy should use EAP method of MD5 challenge and you need to enable the CHAP authentication on it.

    I also use the NAS-IP-Address matches option in the policy settings, as well as groups.

  7. #7
    AlexB's Avatar
    Join Date
    Jul 2006
    Location
    Warwickshire
    Posts
    365
    Thank Post
    36
    Thanked 36 Times in 32 Posts
    Rep Power
    23

    Re: MAC Based vlan allocation with procurve switches (11x)

    nm, I found it. Cause mac-based only use CHAP you have to untick Client must always send the sigature attribute

  8. #8
    AlexB's Avatar
    Join Date
    Jul 2006
    Location
    Warwickshire
    Posts
    365
    Thank Post
    36
    Thanked 36 Times in 32 Posts
    Rep Power
    23

    Re: MAC Based vlan allocation with procurve switches (11x)

    Thanks for that folks, I had missed a bit even though it seemed to work, anyway, it all looks good now and I'm a happy camper

  9. #9

    Ric_'s Avatar
    Join Date
    Jun 2005
    Location
    London
    Posts
    7,596
    Thank Post
    109
    Thanked 764 Times in 595 Posts
    Rep Power
    181

    Re: MAC Based vlan allocation with procurve switches (11x)

    Perhaps somebody could wiki-fy all this

  10. #10

    localzuk's Avatar
    Join Date
    Dec 2006
    Location
    Minehead
    Posts
    17,694
    Thank Post
    516
    Thanked 2,455 Times in 1,899 Posts
    Blog Entries
    24
    Rep Power
    833

    Re: MAC Based vlan allocation with procurve switches (11x)

    Just a quick question on this...

    Should the IAS server be in the same VLAN as the switches (ie. VLAN 1) and if so, should this be done via static VLAN to its port?

  11. #11
    DMcCoy's Avatar
    Join Date
    Oct 2005
    Location
    Isle of Wight
    Posts
    3,456
    Thank Post
    10
    Thanked 494 Times in 434 Posts
    Rep Power
    113

    Re: MAC Based vlan allocation with procurve switches (11x)

    Yes, static is a must. Otherwise what happens if it has to unlock its own port? :P

    Mine Works like this:

    Core Switch
    VLAN 1 (Managment) (IP 10.0.0.1)
    |
    | Tagged Uplink
    |
    Client Switch (VLAN1) (IP 10.0.0.2)

    The IAS server has a NIC on VLAN1. All requests are sent directly from each switch to the IAS server.

    Only the switches need access to VLAN1 (and something to manage them with, along with IAS)

    Edit: Remember that the IAS server needs a NIC that can see the domain too!

  12. #12

    localzuk's Avatar
    Join Date
    Dec 2006
    Location
    Minehead
    Posts
    17,694
    Thank Post
    516
    Thanked 2,455 Times in 1,899 Posts
    Blog Entries
    24
    Rep Power
    833

    Re: MAC Based vlan allocation with procurve switches (11x)

    Could that extra NIC not just be a membership to more than one VLAN on its port?

  13. #13
    DMcCoy's Avatar
    Join Date
    Oct 2005
    Location
    Isle of Wight
    Posts
    3,456
    Thank Post
    10
    Thanked 494 Times in 434 Posts
    Rep Power
    113

    Re: MAC Based vlan allocation with procurve switches (11x)

    You can if you want

  14. #14

    Join Date
    Sep 2008
    Location
    Canada
    Posts
    7
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Hi All,

    I want to do Mac address authentication for some printers and few other devices on Procurve 2600 switch, with Radius IAS. I have a couple of questions and will really appreciate guidance on this.

    1. I understand that I need to create a separate group in AD to include the mac authentication user accounts with accounts having username and password to be same and clear password complexity unders ecurity policy for this so that I will be allowed to have password to be same as username. Can this security policy relaxation for password be only applied to this mac authentication group?

    2. When the switch will forward the username and password to be the mac address to the IAS and IAS will then relay it to AD for validation, AD will expect supply of a domain name as well. How does the domain name gets appended to the mac authentication credentials sent by switch to the IAS?

    3. Since I am not doing mac authentication for user window machines, I believe the accounts do not need to be stored with reversible MD5 encryption. Please clarify this as well.

    Thanks a lot.

  15. #15

    localzuk's Avatar
    Join Date
    Dec 2006
    Location
    Minehead
    Posts
    17,694
    Thank Post
    516
    Thanked 2,455 Times in 1,899 Posts
    Blog Entries
    24
    Rep Power
    833
    1. Not in windows 2003 server - security policies are domain wide. You'd need a seperate domain, and therefore a second security policy. However, you can do this in a single domain with windows 2008 server.

    2. I'm not sure on this. We only have a single domain, so it all just works.

    3. No, reversible authentication is required for windows machines too.

SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. MSI's Randomly not dpolying HP Procurve Switches HELP
    By noah in forum Wireless Networks
    Replies: 2
    Last Post: 12th September 2007, 02:37 PM
  2. Adding vLAN not working on HP Procurve
    By mrforgetful in forum Wireless Networks
    Replies: 21
    Last Post: 2nd March 2007, 11:53 AM
  3. MAC based VLAN
    By NetworkGeezer in forum Wireless Networks
    Replies: 6
    Last Post: 2nd March 2007, 10:12 AM
  4. Anyone using Dell Core switches/edge switches.
    By tosca925 in forum Wireless Networks
    Replies: 13
    Last Post: 6th February 2007, 09:10 AM
  5. HP Procurve switches
    By edie209 in forum Hardware
    Replies: 16
    Last Post: 4th October 2006, 05:58 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •