Procurve Macbased Authentication

**Scratch** · 5th January 2009, 03:17 PM

Hi there,

hopefulle somebody here can give me some hints

I have several 2600 and 5300 switches configured with 802.1x, which works fine.
Problem: MAC-based authentication. My switches just won't talk with my RADIUS (MS IAS) server...

This thread gave me some pointers but nothing worked so far:
http://www.edugeek.net/forums/networ...tches-11x.html

My setup:

2600 and 5300 Switches
Radius configured and working (802.1x with same RADIUS works)
IAS-Policy with correct group and NAS-type
EAP-Method MD5-Challenge, CHAP is enabled
aaa authentication port-access eap-radius is enabled
message authenticator is disabled
Tried different delimiter settings
Accounts for Clients have reversible encryption enabled and user/pw is mac-address

I expected to see activated ports with *show port-access mac-based clients* but the list is empty altough several ports are active.

Log only shows "Port blocked by AAA"...

**Scratch** · 15th January 2009, 12:10 PM

nobody got a clue?

**localzuk** · 15th January 2009, 12:18 PM

This is the config on my HP 5406zl switch:

Code:

max-vlans 64 
module 1 type J8706A 
module 2 type J8705A 
module 3 type J8702A 
module 4 type J8702A 
ip default-gateway 10.5.143.254 
ip routing 
ip udp-bcast-forward 
vlan 1 
   name "Servers" 
   untagged A12-A24,B1-B11,B13-B19,B21-B24,C1-C21,C24,D2-D3,D5-D14,D16-D24 
   ip forward-protocol udp 10.5.140.127 5151 
   ip forward-protocol udp 10.5.140.255 5151 
   ip forward-protocol udp 10.5.141.63 5151 
   ip forward-protocol udp 10.5.141.127 5151 
   ip forward-protocol udp 10.5.141.191 5151 
   ip forward-protocol udp 10.5.141.255 5151 
   ip forward-protocol udp 10.5.142.127 5151 
   ip address 10.5.143.1 255.255.255.0 
   tagged A1-A11,C22 
   no untagged B12,B20,C23,D1,D4,D15 
   exit
aaa accounting update periodic 15 
aaa accounting network start-stop radius 
aaa accounting exec start-stop radius 
aaa accounting system start-stop radius 
radius-server dead-time 5 
radius-server key juniper12a 
radius-server host 10.5.143.14 
primary-vlan 666 
aaa port-access mac-based C1,C5,C9,C11-C20,D2,D5-D10,D12-D14,D16,D18-D24
aaa port-access mac-based C1 unauth-vid 666
aaa port-access mac-based C5 unauth-vid 666

Well, the pertinent bit anyway. The vlan part is repeated for the different VLANs and the aaa parts are repeated for different groups of ports.

**DMcCoy** · 15th January 2009, 12:20 PM

Have you altered the Framed-MTU option in the IAS policy? Newer Procurve firmware versions don't work with the default value anymore. I have set Framed-MTU in all of my policies to 1400

**Scratch** · 19th January 2009, 08:30 AM

Thank you for your replies.

@DmcCoy: Tested it, had no effekt.

RAS-Policy Settings are:
Framed-Protocol: PPP
Service-Type: Framed

**localzuk** · 19th January 2009, 09:08 AM

Just a quick question, did you have reversible encryption enabled before or after creating the password for clients?

**Scratch** · 19th January 2009, 01:11 PM

activated reversible encryption and then set the password.

**Scratch** · 3rd February 2009, 08:40 AM

/bump

LinkBack

Thread Tools

Search Thread

Procurve Macbased Authentication

Similar Threads

Procurve VLAN help

HP Procurve VALNS Help !

Help... I need a Procurve Pro!

HP Procurve switches

HP Procurve 4108GL

Thread Information

Users Browsing this Thread

Posting Permissions