Embedded Files
How to configure 802.1x Port Authentication on HP Procurve Switches, and MAC Authentication for HP printers.
It also allows Avaya handsets to bypass authentication requests.
This guide shows you how to configure the network switch, and Microsoft NPS server configuration for the automatic 802.1x authentication of PC's and MAC authentication for other devices
It assumes you already have the Microsoft NPS server installed, and it also assumes you have a PKI already installed, and therefore a client certificate on those machines you want to enable 802.1x.... :)
First, plan out what VLAN you want to assign as your 'Authenticated' VLAN, and what VLAN you want to use as your 'Unauthorised VLAN'. Make sure you have DHCP running in both VLAN's, and first plug your laptop into an untagged port in both VLAN's to make sure that you can get an IP address / access the internet or other resources you expect
This example uses the following:
User Authenticated VLAN = 10
Printer Authenticated VLAN = 5
Unauthorised VLAN = 20
Voice VLAN = 15
RADIUS Server = 10.10.10.10
Client PC Configuration
Unlike the wireless network card, the wired authentication service is disabled by default, so you must enable it on every PC. Make sure this is in your group policy if you want to enable it on all machines in your domain.
For an individual PC, click start / run and type services.msc
Change the Startup Type to Automatic, and then start the service
Switch Configuration
First, configure the remote RADIUS server address, and make sure the 'reallysecretkey' matches what is configured on the RADIUS server.
radius-server host 10.10.10.10 encrypted-key reallysecretkeyThen configure EAP-RADIUS - this enables forwarding of authentication packets on the network ports.
aaa authentication port-access eap-radiusSwitch Configuration - 802.1x
The following commands enables 802.1.x authentication on a range of ports, (1.44) you can speficy individual ports, or separate them with a comma (,)
aaa port-access authenticator 1-44aaa port-access authenticator 1-44 unauth-vid 20aaa port-access authenticator 1-44 auth-vid 5aaa port-access authenticator activeSwitch Configuration - MAC Authentication
I identified my printer ports in advance, and enabled MAC authentication specifically on those ports, note that the auth vlan is different to the user VLAN above.
aaa port-access mac-based 45,46aaa port-access mac-based 45,46 unauth-vid 20aaa port-access mac-based 45,46 auth-vid 10Switch Configuration - Telephone Bypass
I sort of cheated here - LLDP-MED will assign a phone into a VLAN, bypassing it from the authentication process. Make sure that all ports are tagged in VLAN 15, and that the string 'voice' appears in the VLAN configuration
VLAN 15 name 'Voice' tagged 1-46 voice exitRADIUS / Microsoft NPS Server Configuration
I assume you've already installed NPS, there's plenty of guides out there (just add it using the turn windows features on and off)
Make sure its registered in active directory:
Your RADIUS clients are where the RADIUS requests will be 'proxied' from, which is the network switch. Add each switch IP address, and the 'reallysecretkey' I mentioned earlier.
If you want to be a bit cleverer... and enable both MAC authentication and 802.1x authentication on your procurve switch ports, then I use the following:
aaa port-access authenticator 1-44aaa port-access authenticator 1-44 auth-vid 10aaa port-access authenticator 1-44 quiet-period 30aaa port-access authenticator 1-44 tx-period 2aaa port-access authenticator 1-44 supplicant-timeout 2aaa port-access authenticator 1-44 server-timeout 10aaa port-access authenticator 1-44 max-requests 3aaa port-access authenticator 1-44 client-limit 2aaa port-access mac-based 1-44aaa port-access mac-based 1-44 addr-limit 2aaa port-access mac-based 1-44 logoff-period 86400aaa port-access mac-based 1-44 quiet-period 30aaa port-access mac-based 1-44 server-timeout 10aaa port-access mac-based 1-44 auth-vid 10aaa port-access mac-based 1-44 unauth-vid 20aaa port-access 1-44 controlled-direction inAnd you enable it using:
aaa port-access authenticator activeThere's quite a few lines of configuration in there, the main thing to note is that you HAVE TO ONLY configure the 'unauth-vid' on the MAC based authentication, otherwise you will encounter an error. Check the 'resources' links below for the reasoning behind why I chose those settings.
Resources
Google Sites
Report abuse