nobody got a clue?
hopefulle somebody here can give me some hints
I have several 2600 and 5300 switches configured with 802.1x, which works fine.
Problem: MAC-based authentication. My switches just won't talk with my RADIUS (MS IAS) server...
This thread gave me some pointers but nothing worked so far:
2600 and 5300 Switches
Radius configured and working (802.1x with same RADIUS works)
IAS-Policy with correct group and NAS-type
EAP-Method MD5-Challenge, CHAP is enabled
aaa authentication port-access eap-radius is enabled
message authenticator is disabled
Tried different delimiter settings
Accounts for Clients have reversible encryption enabled and user/pw is mac-address
I expected to see activated ports with *show port-access mac-based clients* but the list is empty altough several ports are active.
Log only shows "Port blocked by AAA"...
Last edited by Scratch; 5th January 2009 at 04:27 PM. Reason: Additional Info
nobody got a clue?
This is the config on my HP 5406zl switch:
Well, the pertinent bit anyway. The vlan part is repeated for the different VLANs and the aaa parts are repeated for different groups of ports.Code:max-vlans 64 module 1 type J8706A module 2 type J8705A module 3 type J8702A module 4 type J8702A ip default-gateway 10.5.143.254 ip routing ip udp-bcast-forward vlan 1 name "Servers" untagged A12-A24,B1-B11,B13-B19,B21-B24,C1-C21,C24,D2-D3,D5-D14,D16-D24 ip forward-protocol udp 10.5.140.127 5151 ip forward-protocol udp 10.5.140.255 5151 ip forward-protocol udp 10.5.141.63 5151 ip forward-protocol udp 10.5.141.127 5151 ip forward-protocol udp 10.5.141.191 5151 ip forward-protocol udp 10.5.141.255 5151 ip forward-protocol udp 10.5.142.127 5151 ip address 10.5.143.1 255.255.255.0 tagged A1-A11,C22 no untagged B12,B20,C23,D1,D4,D15 exit aaa accounting update periodic 15 aaa accounting network start-stop radius aaa accounting exec start-stop radius aaa accounting system start-stop radius radius-server dead-time 5 radius-server key juniper12a radius-server host 10.5.143.14 primary-vlan 666 aaa port-access mac-based C1,C5,C9,C11-C20,D2,D5-D10,D12-D14,D16,D18-D24 aaa port-access mac-based C1 unauth-vid 666 aaa port-access mac-based C5 unauth-vid 666
Have you altered the Framed-MTU option in the IAS policy? Newer Procurve firmware versions don't work with the default value anymore. I have set Framed-MTU in all of my policies to 1400
Thank you for your replies.
@DmcCoy: Tested it, had no effekt.
RAS-Policy Settings are:
Just a quick question, did you have reversible encryption enabled before or after creating the password for clients?
activated reversible encryption and then set the password.
There are currently 1 users browsing this thread. (0 members and 1 guests)