topic Re: SR2148P 802.1x ethernet auth with NPS in Aerohive Migrated Content

SR2148P 802.1x ethernet auth with NPS

stefan_meichtry — Mon, 16 Sep 2019 18:40:09 GMT

Hi all

We have implemented 802.1X authentication to windows NPS for our WLAN for a long time. I would like to do the same for wired clients on our SR2148P switches, but I have trouble to find the correct Radius attributes to hand over to the switch. At the moment, I am working with these:

Tunnel-Medium-Type: 802 (includes all 802 media plus Ethernet canonical format)
Tunnel-Pvt-Group-ID: 10
Tunnel-Type: Virtual LANs (VLAN)

But other than in the WLAN setup, the Tunnel-Pvt-Group-ID I have to give the VLAN instead of the UP.

Can someone tell me the correct attributes I have to use for wired ethernet 802.1X auth on Windows NPS?

Kind regards, Stefan

Re: SR2148P 802.1x ethernet auth with NPS

samantha_lynn — Thu, 19 Sep 2019 01:01:38 GMT

You can use the tunnel pvt group ID, you'd want to use the option to "Assign user profile based on RADIUS attribute value pairs returned in Access-Accept response message" and then enter the attributes you want to allow.

Re: SR2148P 802.1x ethernet auth with NPS

stefan_meichtry — Thu, 19 Sep 2019 03:22:06 GMT

Thank you for answering.

I was not able to find the screenshot you send in your answer in our HM classic. But anyway, what I see in this picture are exactly the attributes I am useing in WLAN 802.1X and this is working fine.

But when configure Windows NPS with a new network policy this time with NAS Port Type = Ethernet, I do not have the same Radius attributes available in NPS to return like with NAS Port Type = Wireless - IEEE 802.11.

Here the picture of NPS for WLAN that is working:

And this is the one for Ethernet with the attributes of NPS that I think best much as I have not the same available for NAS Port Type Ethernet:

But with this settings, I end up with VLAN assignment instead of user profile assignment.

As said, we are working with HM classic and trying to do both (for WLAN and Ethernet) on the same radius NPS Windows Server.

Re: SR2148P 802.1x ethernet auth with NPS

samantha_lynn — Thu, 19 Sep 2019 19:39:17 GMT

My apologies, those directions were for HiveManager, I didn't realize you were using HiveManager Classic. In that case, you'll want to go to Configuration> Open the Network Policy> Click on Add/Remove below the user profile in use on your Radius SSID> Check the box next to "Assign user profiles based on values returned in the Following RADIUS Attribute> Select the Tunnel-Pvt-Group-ID attribute from the drop down list. Then create a user profile with the same attribute as the Tunnel PVT Group ID.

Re: SR2148P 802.1x ethernet auth with NPS

stefan_meichtry — Fri, 20 Sep 2019 22:10:25 GMT

My apologies. I haven't said I am using HM classic.

Thank you for the hint. I was able now to get things working even with the same radius attributes I am using for WLAN like described in many Aerohive docs:

Tunnel-Medium-Type: IP (IP version 4)

Tunnel-Pvt-Group-ID: 2351

Tunnel-Type: Generic Route Encapsulation (GRE)

My problem was more related to Windows NPS config. Sorry for that, but with you help I was able to get deeper into to issue.

I still have another problem with my setup. Let me try to explain, what I am trying to setup.

I would like to have switch ethernet ports configured so if a staff member connects his company notebook with a client certificate installed, will get to the intranet VLAN. This is working very well with the setup right now.

But then I would like to have all other clients (guest notebooks) to end up in our guest VLAN. This is also working, but with a timeout of 60 seconds.

Here is what the setup looks like:

I think this is related to the time I see here, but this is not editable here:

I would like to reduce this time to something like 5 or 10 sec.

So in the case of wrong authentication or no authentication at all, the users get quickly to the quest VLAN.

60 sec is mutch to high for this use case.

Can you tell me, where I have to edit this value or if this is not the correct value, where I find it. Or is this not changeable at all?

Re: SR2148P 802.1x ethernet auth with NPS

samantha_lynn — Sat, 21 Sep 2019 01:05:40 GMT

It doesn't look like we can edit that field when using Disconnected as the Deny Action. The only way I can edit that field is by setting the Deny Action to "Ban", and then when I change it back to Disconnected, it goes back to the default 60 and won't let me edit. I'm going to ask our engineers if this is by design, I'll let you know as soon as I hear back.

Re: SR2148P 802.1x ethernet auth with NPS

samantha_lynn — Thu, 26 Sep 2019 20:24:04 GMT

Thank you for your patience, I was able to confirm that this setting is not going to be something we can edit unless we set it to Ban instead of Disconnected. I would normally recommend filing a feature request with your sales engineer to see if we can get that changed in a later release, but HiveManager Classic is a legacy product and will not be receiving any more major updates or feature enhancements. I'm sorry I don't have better news here.

Re: SR2148P 802.1x ethernet auth with NPS

stefan_meichtry — Fri, 27 Sep 2019 13:55:20 GMT

Thank you very much for helping me.

Perhaps I am trying to build it to complicate and this can be achieved much easier. Do you see another way of having this use case done? I still think that this is a use case, many companies today have: assigning VLANs depending on user type (staff or guest). In WLAN this is quite easy to build, as

there is always an client authentification. In ethernet I just have the problem, that the guest notebooks are mostly not sending any authentication at all and so I cannot authenticate and assign VLAN with Radius attributes. The process should be the other way around. When connecting the thernet port, all notebooks first end up in the guest VLAN independent of sending any authentication. If the client sends an authentication, I can than switch the VLAN (or even the UP) depending of the usertype controlled by Radius. Like this, I do not have to deliver two ethernet ports for each public room in the building. Hopefully you understand my use case.

Re: SR2148P 802.1x ethernet auth with NPS

samantha_lynn — Thu, 10 Oct 2019 01:52:01 GMT

If a client isn't sending out authentication requests, we won't be able to work with the client at all. The APs have to have communication from a client device before they can engage in the connect process.

Re: SR2148P 802.1x ethernet auth with NPS

stefan_meichtry — Thu, 10 Oct 2019 02:01:07 GMT

I am still talking about switch ethernet ports and not about APs. But it will not be possible with Aerohive as I see.

I still think, I am not the only user with this use case. So I will have a look if there is a solution for this by other products. Thank you very much for your help.