MAC Authentication issue with HP5500 Series and Extreme NAC

  • 0
  • 1
  • Problem
  • Updated 3 years ago
  • Solved
  • (Edited)

haven’t found any thread with NAC and HP Procurve model A5120 or any 5500-Serie Model.

Procurve is really limited in terms of configuration possibilities. Nevertheless,  I’m running into the issue that the  switch is not authenticating the connected supplicants.

Once a Host/PC is connected, I can’t observe any Auth-request  reaching the NAC Gateway. NAC Gateway it not getting any MAC-Auth requests.

1)      Switch can reach the NAC Gateway

2)      Switch is declared as Radius Client in  NAC and is as well configured with the corresponding  Radius-Server and shared-Secret

3)      Switch is monitored by the  Netsight Console with respective SNM-Parameter

Has anybody successfully couple this HP-Model series with Extreme NAC?

Any configuration example? I’ve actually configured with the HP-configurationguide.

Thanks in advance for any hints.


Photo of Gradelain Ngouni

Gradelain Ngouni

  • 480 Points 250 badge 2x thumb

Posted 3 years ago

  • 0
  • 1
Photo of Michael Kirchner

Michael Kirchner

  • 1,846 Points 1k badge 2x thumb
Hi Gradelain,

I have successfully implemented Port Authentication with HP Procurve. Be aware of the firmware running on the switch. HP had several problems with authentication so you may wanna try a current release.

radius-server host X.X.X.X key "MySharedSecret"
radius-server host Y.Y.Y.Y key "MySharedSecret"
radius-server retransmit 1
radius-server dead-time 5
aaa accounting network start-stop radius
aaa authentication port-access eap-radius
aaa port-access authenticator 1
aaa port-access authenticator 1 server-timeout 30
aaa port-access authenticator 1 reauth-period 36000
aaa port-access authenticator 1 client-limit 3
aaa port-access authenticator active
aaa port-access mac-based 1
aaa port-access mac-based 1 addr-limit 3
aaa port-access mac-based 1 reauth-period 36000
aaa port-access mac-based 1 unauth-vid 1
aaa port-access 1 controlled-direction in
What's your config like?

Photo of Gradelain Ngouni

Gradelain Ngouni

  • 480 Points 250 badge 2x thumb
Hello Michael,

thanks a lot for your Feedback.
i think i should perhaps first of all try with a FW upgrade. i'm running version 5.20 Release 2221P02
Switch-Model: H3C S5120-24P-EI

none of the "aaa" configuration above is being accepted.

only following confguration were possible based on the configuration guide:

 dot1x authentication-method eap


radius scheme nac
 primary authentication
 primary accounting
 key authentication cipher $c$3$3MWqYRjTqeraZV2AQVBhlp0ytjtH8VCuu0j6Ow==
 key accounting cipher $c$3$KhAkPm6nBU1alb/PtACj0YOsc9ynQ4czya6moA==
 user-name-format keep-original
domain nac
 authentication login radius-scheme nac
 authorization login radius-scheme nac

#Test interface:
interface GigabitEthernet1/0/2
 dot1x re-authenticate