802.1x is an open standards protocol, used for network clients on a user id basis. This post describes how to configure 802.1x on an HP ProCurve switch and authenticate against a Windows 2008 R2 NPS (RADIUS) server.
Open VLAN mode will be used, this involves creating an “Authorized” and “Un-Authorized” VLAN. Using Open VLAN temporarily ignores the ports static VLAN configuration and places the port in the “Un-Authorized” VLAN at which point the client will attempt authentication, if successful the port will dynamically place the port in the “Authorized” VLAN.
The switch used is an HP ProCurve model 2610-48 running firmware version R.11.72
Configuring the switch
Create the “Authorized” VLAN, define IP address and IP helper-address
ip address 192.168.30.1 255.255.255.0
ip helper-address 192.168.20.20
Create the “Un-Authorized” VLAN, define IP address and IP helper-address
ip address 192.168.40.1 255.255.255.0
ip helper-address 192.168.20.20
NOTE – VLAN 30 and VLAN 40 are not configured as either tagged or untagged, Open VLAN temporarily ignores the static port configure when using authorized and un-authorized VLANs.
Define RADIUS server IP address and shared secret
radius-server host 192.168.20.20 key secret12
Configure 802.1x authentication type
aaa authentication port-access eap-radius
Configure ethernet ports 1-2 as authenticator ports
aaa port-access authenticator 5
Configure ethernet ports 1-2 to use VLAN 30 as the “Authorized” VLAN
aaa port-access authenticator 1-2 auth-vid 30
Configure ethernet ports 1-2 to use VLAN 30 as the “Un-Authorized” VLAN
aaa port-access authenticator 1-2 unauth-vid 40
Activates 802.1x port-access authentication on ports
aaa port-access authenticator active
Configure the maximum number of devices the defined ports is allowed to authenticate
aaa port-access authenticator 1-2 client-limit 1
Windows 20008 R2 NPS (RADIUS) Configuration
Install the server role Network Policy and Access Services > Network Policy Server
Open the Network Policy Server MMC, define the switch as a new RADIUS Client > RADIUS Clients and Server > RADIUS Clients
Define a friendly name (can be anything), define the switch IP address and enter the “shared secret”.
NOTE – the shared secret is the same secret define previous when configuring the switch. In this instance the shared secret is secret12
Create a Policy > Policies > Network Policies
Define a suitable policy name eg “Switch 802.1x Authentication”. Click Next
Specify conditions value e.g DOMAINNAME\Domain Users or DOMAINNAME\Domain Computers. Click Next
Specify Access Permissions, leave as “Access granted”. Click Next
Specify Authentication Method as “Microsoft: Protected EAP (PEAP). Un-tick “Microsoft Encrypted Authentication (MS-CHAP)”. Click Next
Click Next and make no further modifications. Click Finish
Windows client computer configuration
Open Windows services and change the startup type of the service “Wired AutoConfig” to Automatic. Click Start service
Open “Network and Sharing Center”. Click “Change adapter settings”
Click “Local Area Connection” > “Properties” > “Authentication”
Ensure “Enable IEEE 802.1x authentication” is ticked
Ensure “Microsoft: Protected EAP (PEAP)” is selected from the dropdown box. Click Settings
If the client computers do not have a trusted root certificate un-check the tick box “Validate server certificate”. If you do have an internal CA and all client computers have the root CA in the computer certificate store leave checked.
If the client computer is not joined to the domain and you wish to prompt for authentication, select “Configure” and un-check “Automatic use my Windows logon….”
The steps above can also be configured via Group Policy
Connect a computer to a port configured for authentication
If using a non-domain joined computer and you have previously un-checked the tick box “Automatic use my Windows logon….” a balloon will appear “Additional information is needed to connect to this network”. Click the balloon and enter your domain credentials.
If you are on a domain joined computer, the authentication will be transparent to the user (you will not see the prompt for authentication as above).
From the switch, the command “Show port-access authenticator” will display useful troubleshooting information, such as ports activated for authentication, authorized/guest clients and VLAN currently assigned to the port
When a client machine successfully authenticates, the port would be dynamically moved to “Authorized” VLAN 30.
Pre-Authentication the client will be identified as a Guest and the port will be placed in the “Un-Authorized” VLAN 40. The client computer will remain in the “Un-Authorized” VLAN if authentication fails.