cancel
Showing results for 
Search instead for 
Did you mean: 

SR2148P 802.1x ethernet auth with NPS

SR2148P 802.1x ethernet auth with NPS

stefan_meichtry
New Contributor

Hi all

We have implemented 802.1X authentication to windows NPS for our WLAN for a long time. I would like to do the same for wired clients on our SR2148P switches, but I have trouble to find the correct Radius attributes to hand over to the switch. At the moment, I am working with these:

 

  • Tunnel-Medium-Type: 802 (includes all 802 media plus Ethernet canonical format)
  • Tunnel-Pvt-Group-ID: 10
  • Tunnel-Type: Virtual LANs (VLAN)

 

But other than in the WLAN setup, the Tunnel-Pvt-Group-ID I have to give the VLAN instead of the UP.

Can someone tell me the correct attributes I have to use for wired ethernet 802.1X auth on Windows NPS?

 

Kind regards, Stefan

 

 

 

9 REPLIES 9

stefan_meichtry
New Contributor

I am still talking about switch ethernet ports and not about APs. But it will not be possible with Aerohive as I see.

I still think, I am not the only user with this use case. So I will have a look if there is a solution for this by other products. Thank you very much for your help.

samantha_lynn
Esteemed Contributor III

If a client isn't sending out authentication requests, we won't be able to work with the client at all. The APs have to have communication from a client device before they can engage in the connect process.

stefan_meichtry
New Contributor

Thank you very much for helping me.

Perhaps I am trying to build it to complicate and this can be achieved much easier. Do you see another way of having this use case done? I still think that this is a use case, many companies today have: assigning VLANs depending on user type (staff or guest). In WLAN this is quite easy to build, as

there is always an client authentification. In ethernet I just have the problem, that the guest notebooks are mostly not sending any authentication at all and so I cannot authenticate and assign VLAN with Radius attributes. The process should be the other way around. When connecting the thernet port, all notebooks first end up in the guest VLAN independent of sending any authentication. If the client sends an authentication, I can than switch the VLAN (or even the UP) depending of the usertype controlled by Radius. Like this, I do not have to deliver two ethernet ports for each public room in the building. Hopefully you understand my use case.

samantha_lynn
Esteemed Contributor III

Thank you for your patience, I was able to confirm that this setting is not going to be something we can edit unless we set it to Ban instead of Disconnected. I would normally recommend filing a feature request with your sales engineer to see if we can get that changed in a later release, but HiveManager Classic is a legacy product and will not be receiving any more major updates or feature enhancements. I'm sorry I don't have better news here.

GTM-P2G8KFN