Header Only - DO NOT REMOVE - Extreme Networks

MAC Authentication issue with HP5500 Series and Extreme NAC


Userlevel 1
Hello,

haven’t found any thread with NAC and HP Procurve model A5120 or any 5500-Serie Model.

Procurve is really limited in terms of configuration possibilities. Nevertheless, I’m running into the issue that the switch is not authenticating the connected supplicants.

Once a Host/PC is connected, I can’t observe any Auth-request reaching the NAC Gateway. NAC Gateway it not getting any MAC-Auth requests.

1) Switch can reach the NAC Gateway

2) Switch is declared as Radius Client in NAC and is as well configured with the corresponding Radius-Server and shared-Secret

3) Switch is monitored by the Netsight Console with respective SNM-Parameter

Has anybody successfully couple this HP-Model series with Extreme NAC?

Any configuration example? I’ve actually configured with the HP-configurationguide.

Thanks in advance for any hints.

Regards

Gradelain

2 replies

Userlevel 3
Hi Gradelain,

I have successfully implemented Port Authentication with HP Procurve. Be aware of the firmware running on the switch. HP had several problems with authentication so you may wanna try a current release.

radius-server host X.X.X.X key "MySharedSecret" radius-server host Y.Y.Y.Y key "MySharedSecret"[/code]radius-server retransmit 1 radius-server dead-time 5
[/code]aaa accounting network start-stop radius aaa authentication port-access eap-radius [/code]aaa port-access authenticator 1 aaa port-access authenticator 1 server-timeout 30 aaa port-access authenticator 1 reauth-period 36000 aaa port-access authenticator 1 client-limit 3[/code] aaa port-access authenticator active aaa port-access mac-based 1 aaa port-access mac-based 1 addr-limit 3 aaa port-access mac-based 1 reauth-period 36000 aaa port-access mac-based 1 unauth-vid 1 [/code]aaa port-access 1 controlled-direction in [/code]What's your config like?

Regards
Michael
Userlevel 1
Hello Michael,

thanks a lot for your Feedback.
i think i should perhaps first of all try with a FW upgrade. i'm running version 5.20 Release 2221P02
Switch-Model: H3C S5120-24P-EI

none of the "aaa" configuration above is being accepted.

only following confguration were possible based on the configuration guide:

#Global:
dot1x
dot1x authentication-method eap

#Radius

radius scheme nac
primary authentication 192.168.10.114
primary accounting 192.168.10.114
key authentication cipher $c$3$3MWqYRjTqeraZV2AQVBhlp0ytjtH8VCuu0j6Ow==
key accounting cipher $c$3$KhAkPm6nBU1alb/PtACj0YOsc9ynQ4czya6moA==
user-name-format keep-original
!
domain nac
authentication login radius-scheme nac
authorization login radius-scheme nac

#Test interface:
interface GigabitEthernet1/0/2
mac-authentication
dot1x re-authenticate
!

regards

Gradelain

Reply