Configuring 802.1x authentication on ProCurve Switches

802.1x is an open standards protocol, used for network clients on a user id basis. This post describes how to configure 802.1x on an HP ProCurve switch and authenticate against a Windows 2008 R2 NPS (RADIUS) server.

Open VLAN mode will be used, this involves creating an “Authorized” and “Un-Authorized” VLAN. Using Open VLAN temporarily ignores the ports static VLAN configuration and places the port in the “Un-Authorized” VLAN at which point the client will attempt authentication, if successful the port will dynamically place the port in the “Authorized” VLAN.

The switch used is an HP ProCurve model 2610-48 running firmware version R.11.72

Configuring the switch

Create the “Authorized” VLAN, define IP address and IP helper-address

VLAN 30

name “Auth”

ip address 192.168.30.1 255.255.255.0

ip helper-address 192.168.20.20

Create the “Un-Authorized” VLAN, define IP address and IP helper-address

VLAN 40

name “Un-Auth”

ip address 192.168.40.1 255.255.255.0

ip helper-address 192.168.20.20


NOTE – VLAN 30 and VLAN 40 are not configured as either tagged or untagged, Open VLAN temporarily ignores the static port configure when using authorized and un-authorized VLANs.

Define RADIUS server IP address and shared secret

radius-server host 192.168.20.20 key secret12

Configure 802.1x authentication type

aaa authentication port-access eap-radius

Configure ethernet ports 1-2 as authenticator ports

aaa port-access authenticator 5

Configure ethernet ports 1-2 to use VLAN 30 as the “Authorized” VLAN

aaa port-access authenticator 1-2 auth-vid 30

Configure ethernet ports 1-2 to use VLAN 30 as the “Un-Authorized” VLAN

aaa port-access authenticator 1-2 unauth-vid 40

Activates 802.1x port-access authentication on ports

aaa port-access authenticator active

Configure the maximum number of devices the defined ports is allowed to authenticate

aaa port-access authenticator 1-2 client-limit 1

Windows 20008 R2 NPS (RADIUS) Configuration

Install the server role Network Policy and Access Services > Network Policy Server

Open the Network Policy Server MMC, define the switch as a new RADIUS Client > RADIUS Clients and Server > RADIUS Clients

Define a friendly name (can be anything), define the switch IP address and enter the “shared secret”.

NOTE – the shared secret is the same secret define previous when configuring the switch. In this instance the shared secret is secret12

Create a Policy > Policies > Network Policies

Define a suitable policy name eg “Switch 802.1x Authentication”. Click Next

Specify conditions value e.g DOMAINNAME\Domain Users or DOMAINNAME\Domain Computers. Click Next

Specify Access Permissions, leave as “Access granted”. Click Next

Specify Authentication Method as “Microsoft: Protected EAP (PEAP). Un-tick “Microsoft Encrypted Authentication (MS-CHAP)”. Click Next

Click Next and make no further modifications. Click Finish

Windows client computer configuration

Open Windows services and change the startup type of the service “Wired AutoConfig” to Automatic. Click Start service

Open “Network and Sharing Center”. Click “Change adapter settings”

Click “Local Area Connection” > “Properties” > “Authentication”

Ensure “Enable IEEE 802.1x authentication” is ticked

Ensure “Microsoft: Protected EAP (PEAP)” is selected from the dropdown box. Click Settings

If the client computers do not have a trusted root certificate un-check the tick box “Validate server certificate”. If you do have an internal CA and all client computers have the root CA in the computer certificate store leave checked.

If the client computer is not joined to the domain and you wish to prompt for authentication, select “Configure” and un-check “Automatic use my Windows logon….”

The steps above can also be configured via Group Policy

Testing

Connect a computer to a port configured for authentication

If using a non-domain joined computer and you have previously un-checked the tick box “Automatic use my Windows logon….” a balloon will appear “Additional information is needed to connect to this network”. Click the balloon and enter your domain credentials.

If you are on a domain joined computer, the authentication will be transparent to the user (you will not see the prompt for authentication as above).

From the switch, the command “Show port-access authenticator” will display useful troubleshooting information, such as ports activated for authentication, authorized/guest clients and VLAN currently assigned to the port

When a client machine successfully authenticates, the port would be dynamically moved to “Authorized” VLAN 30.

Pre-Authentication the client will be identified as a Guest and the port will be placed in the “Un-Authorized” VLAN 40. The client computer will remain in the “Un-Authorized” VLAN if authentication fails.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s