cancel
Showing results for 
Search instead for 
Did you mean: 

SR2148P 802.1x ethernet auth with NPS

SR2148P 802.1x ethernet auth with NPS

stefan_meichtry
New Contributor

Hi all

We have implemented 802.1X authentication to windows NPS for our WLAN for a long time. I would like to do the same for wired clients on our SR2148P switches, but I have trouble to find the correct Radius attributes to hand over to the switch. At the moment, I am working with these:

 

  • Tunnel-Medium-Type: 802 (includes all 802 media plus Ethernet canonical format)
  • Tunnel-Pvt-Group-ID: 10
  • Tunnel-Type: Virtual LANs (VLAN)

 

But other than in the WLAN setup, the Tunnel-Pvt-Group-ID I have to give the VLAN instead of the UP.

Can someone tell me the correct attributes I have to use for wired ethernet 802.1X auth on Windows NPS?

 

Kind regards, Stefan

 

 

 

9 REPLIES 9

samantha_lynn
Esteemed Contributor III

It doesn't look like we can edit that field when using Disconnected as the Deny Action. The only way I can edit that field is by setting the Deny Action to "Ban", and then when I change it back to Disconnected, it goes back to the default 60 and won't let me edit. I'm going to ask our engineers if this is by design, I'll let you know as soon as I hear back.

stefan_meichtry
New Contributor

My apologies. I haven't said I am using HM classic.

 

Thank you for the hint. I was able now to get things working even with the same radius attributes I am using for WLAN like described in many Aerohive docs:

 

Tunnel-Medium-Type: IP (IP version 4)

Tunnel-Pvt-Group-ID: 2351

Tunnel-Type: Generic Route Encapsulation (GRE)

My problem was more related to Windows NPS config. Sorry for that, but with you help I was able to get deeper into to issue.

 

 

 

I still have another problem with my setup. Let me try to explain, what I am trying to setup.

 

I would like to have switch ethernet ports configured so if a staff member connects his company notebook with a client certificate installed, will get to the intranet VLAN. This is working very well with the setup right now. 

 

But then I would like to have all other clients (guest notebooks) to end up in our guest VLAN. This is also working, but with a timeout of 60 seconds.

 

Here is what the setup looks like: 

 

bfdc87ba05404ea1a529f7a7f5a4ab05_0690c000008smthAAA.png

I think this is related to the time I see here, but this is not editable here:

 

20-09-_2019_16-51-56

I would like to reduce this time to something like 5 or 10 sec.

So in the case of wrong authentication or no authentication at all, the users get quickly to the quest VLAN.

60 sec is mutch to high for this use case.

Can you tell me, where I have to edit this value or if this is not the correct value, where I find it. Or is this not changeable at all?

 

samantha_lynn
Esteemed Contributor III

My apologies, those directions were for HiveManager, I didn't realize you were using HiveManager Classic. In that case, you'll want to go to Configuration> Open the Network Policy> Click on Add/Remove below the user profile in use on your Radius SSID> Check the box next to "Assign user profiles based on values returned in the Following RADIUS Attribute> Select the Tunnel-Pvt-Group-ID attribute from the drop down list. Then create a user profile with the same attribute as the Tunnel PVT Group ID.

 

48c2694cd19f4b9c994ee72f343ff3d3_0690c000008sjZKAAY.png

stefan_meichtry
New Contributor

Thank you for answering.

I was not able to find the screenshot you send in your answer in our HM classic. But anyway, what I see in this picture are exactly the attributes I am useing in WLAN 802.1X and this is working fine.

But when configure Windows NPS with a new network policy this time with NAS Port Type = Ethernet, I do not have the same Radius attributes available in NPS to return like with NAS Port Type = Wireless - IEEE 802.11.

 

Here the picture of NPS for WLAN that is working:

c57d48b5cba04d5dbbd17a878b61a5f0_0690c000008siHZAAY.png

 

And this is the one for Ethernet with the attributes of NPS that I think best much as I have not the same available for NAS Port Type Ethernet:

18-09-_2019_22-13-30

But with this settings, I end up with VLAN assignment instead of user profile assignment.

 

As said, we are working with HM classic and trying to do both (for WLAN and Ethernet) on the same radius NPS Windows Server.

 

samantha_lynn
Esteemed Contributor III

You can use the tunnel pvt group ID, you'd want to use the option to "Assign user profile based on RADIUS attribute value pairs returned in Access-Accept response message" and then enter the attributes you want to allow. 364ff4a873004bff98e0d2a661c10e75_0690c000008shkuAAA.png

GTM-P2G8KFN