MAC Based vlan allocation with procurve switches (11x)

Well I have some HP Procurves, 2626s mainly. I also have 2 cisco 2948Gs.

With the ciscos I setup a tftp server, created a vlan mac pairing file, set one of the switches to read the file and be a server for VMPS. Set both ciscos to be clients of the server cisco, set the ports I wanted to by dynamic and quite disturbingly it all worked. I connect and client with a known MAC and it gets the correct vlan... happy me :D

So I now move on to the procurves (I did these second for a reason!)

I know they can do mac-based authenication against a RADIUS server and a RADIUS server can return the vlan the client should have. I know this CAN be done, but I haven't the foggest how!

I have the a procurve set with one port to use mac-based port-access. I have the radius set with the correct IP and secret key for a newly created IAS RADIUS server on one of my domain controllers. When I also set an auth-vlan and an unauth-vlan I can get the switch to fail to auth and dump the client on to the unauth-vlan. What I cannot do is get the procurve to successfully auth against the RADIUS server (nothing shows in IAS logs, it hasn't even created any!)

So what I am looking for (cause I think I have the procurve setup rightish) is how to configure an IAS RADIUS server to work with my procurves.

Oh yes, I have a user in the AD with the username and password set to the mac (no formatting and procurve is set to send a no formatted mac) password is reverseable and dialup set to allow.

Anyway... please help, I have been able to find a complete guide on the net and have only pickup up snippets here and there.

Oh yeah, after I get auth working, I still have no clue how to get the RADIUS server to respond with the right vlan...

Thanks in advance!

Oh yeah, looking at you DMcCoy, you seem like you might know :D

Okay, so I've found out how to get IAS to send the vlan ID back to the procurve, now if I could just get them to talk to eachother in the first place!

I did the mac-based authentication for our Apple machines. You are most of the way there. The vlan can be returned by IAS from the policy, the policy can be matched by adding the machine users to a group.

1) The switch must exist as a client on IAS
2) The switches default_vlan (which ever one you set) needs to be able to see the IAS server.
3) You need to set an access policy

Note, you have to enable reversible encryption *then* set the password.

1) Create a RADIUS client in IAS. You need to give it a name, enter the IP of the switch and set a key for the switch to authenticate with. You can't tick the message authenticator box with mac based auth, you can for 802.1x

2) assuming your switch has an ip that can see the IAS server.

Here is a relevant bit of my config

aaa authentication port-access eap-radius
radius-server host 10.0.0.100 key keygoeshere
aaa port-access mac-based 1-23
aaa port-access mac-based 1 unauth-vid 80
aaa port-access mac-based 2 unauth-vid 80
aaa port-access mac-based 3 unauth-vid 80
aaa port-access mac-based 4 unauth-vid 80
aaa port-access mac-based 5 unauth-vid 80
aaa port-access mac-based 6 unauth-vid 80
aaa port-access mac-based 7 unauth-vid 80
aaa port-access mac-based 8 unauth-vid 80
aaa port-access mac-based 9 unauth-vid 80
aaa port-access mac-based 10 unauth-vid 80
aaa port-access mac-based 11 unauth-vid 80
aaa port-access mac-based 12 unauth-vid 80
aaa port-access mac-based 13 unauth-vid 80
aaa port-access mac-based 14 unauth-vid 80
aaa port-access mac-based 15 unauth-vid 80
aaa port-access mac-based 16 unauth-vid 80
aaa port-access mac-based 17 unauth-vid 80
aaa port-access mac-based 18 unauth-vid 80
aaa port-access mac-based 19 unauth-vid 80
aaa port-access mac-based 20 unauth-vid 80
aaa port-access mac-based 21 unauth-vid 80
aaa port-access mac-based 22 unauth-vid 80
aaa port-access mac-based 23 unauth-vid 80
aaa port-access mac-based addr-format multi-dash



This should start getting messages on the IAS server.

3) Create a remote access policy in IAS

I'll attach some screen shots in a minute

Hi Alex,

In order for the radius server to send the vlan id, configure the following options:

Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-Id = the VLAN ID or name i.e. 20 or Server-VLAN

In order to the switches to talk to one another you need to configure trunk links with 802.1q encapsulation.

HTH,

Ash.

The policy should use EAP method of MD5 challenge and you need to enable the CHAP authentication on it.

I also use the NAS-IP-Address matches option in the policy settings, as well as groups.

nm, I found it. Cause mac-based only use CHAP you have to untick Client must always send the sigature attribute

Thanks for that folks, I had missed a bit even though it seemed to work, anyway, it all looks good now and I'm a happy camper :D

Perhaps somebody could wiki-fy all this ;)

Just a quick question on this...

Should the IAS server be in the same VLAN as the switches (ie. VLAN 1) and if so, should this be done via static VLAN to its port?

Yes, static is a must. Otherwise what happens if it has to unlock its own port? :P

Mine Works like this:

Core Switch
VLAN 1 (Managment) (IP 10.0.0.1)
|
| Tagged Uplink
|
Client Switch (VLAN1) (IP 10.0.0.2)

The IAS server has a NIC on VLAN1. All requests are sent directly from each switch to the IAS server.

Only the switches need access to VLAN1 (and something to manage them with, along with IAS)

Edit: Remember that the IAS server needs a NIC that can see the domain too!

Could that extra NIC not just be a membership to more than one VLAN on its port?

You can if you want

Hi All,

I want to do Mac address authentication for some printers and few other devices on Procurve 2600 switch, with Radius IAS. I have a couple of questions and will really appreciate guidance on this.

1. I understand that I need to create a separate group in AD to include the mac authentication user accounts with accounts having username and password to be same and clear password complexity unders ecurity policy for this so that I will be allowed to have password to be same as username. Can this security policy relaxation for password be only applied to this mac authentication group?

2. When the switch will forward the username and password to be the mac address to the IAS and IAS will then relay it to AD for validation, AD will expect supply of a domain name as well. How does the domain name gets appended to the mac authentication credentials sent by switch to the IAS?

3. Since I am not doing mac authentication for user window machines, I believe the accounts do not need to be stored with reversible MD5 encryption. Please clarify this as well.

Thanks a lot.

1. Not in windows 2003 server - security policies are domain wide. You'd need a seperate domain, and therefore a second security policy. However, you can do this in a single domain with windows 2008 server.

2. I'm not sure on this. We only have a single domain, so it all just works.

3. No, reversible authentication is required for windows machines too.