Comware

Currently I am using port-security on my HP E5412zl switch.  While this works good management is a pain.  We have a lot of people come and go in our organization.

I would like to setup dynamic vlan allocation using NPS (server 2012).  I have it working for our wireless users but I can not get it working for our wired ones.

We have a number of vlans and I want to be able to assign the vlan via the NPS server.  We house a number of client businesses on our network so this is basically the structure that I am looking at.

When a person plugs in to the network they are either plugging in to a client port or a company port.

If a company port it uses the mac-address of the computer for verification.  If unverified the port will get assigned to a guest vlan.

The client ports do not have security on them and the clients wish to keep it that way.   I do need to have the connections in the boardroom setup so that if a company computer is plugged in they get authenticated via mac-address.  If a non company plugs in then the user gets prompted for a user name and password.  The credentials will determine the vlan that the port is assigned.

I realize the with NPS the policies are read top down so so the company profile would get checked first and then the clients with a profile for each client and one for guest.

I have been trying to get this working for a number of weeks now with out success.  I haven't really found information on how to really get this working.  There are lots of how-tos that cover part of the setup but not end to end so trying to get two to work together seems impossible.

This is what I have so far in my test lab.

The switch has the following configuration.

hostname "HP-Switch-5412zl"
module 1 type j8702a
module 2 type j8702a
module 3 type j8702a
module 4 type j8702a
module 5 type j9309a
module 6 type j9309a
trunk D24 trk1 trunk
radius-server host 192.168.1.25 key "innovation"
ip dns server-address priority 1 192.168.1.20
ip route 0.0.0.0 0.0.0.0 192.168.2.1
snmp-server community "public" unrestricted
aaa port-access mac-based A13-A24
aaa port-access mac-based A13 auth-vid 110
aaa port-access mac-based A13 unauth-vid 130
aaa port-access mac-based A14 auth-vid 110
aaa port-access mac-based A14 unauth-vid 130
aaa port-access mac-based A15 auth-vid 110
aaa port-access mac-based A15 unauth-vid 130
aaa port-access mac-based A16 auth-vid 110
aaa port-access mac-based A16 unauth-vid 130
aaa port-access mac-based A17 auth-vid 110
aaa port-access mac-based A17 unauth-vid 130
aaa port-access mac-based A18 auth-vid 110
aaa port-access mac-based A18 unauth-vid 130
aaa port-access mac-based A19 auth-vid 110
aaa port-access mac-based A19 unauth-vid 130
aaa port-access mac-based A20 auth-vid 110
aaa port-access mac-based A20 unauth-vid 130
aaa port-access mac-based A21 auth-vid 110
aaa port-access mac-based A21 unauth-vid 130
aaa port-access mac-based A22 auth-vid 110
aaa port-access mac-based A22 unauth-vid 130
aaa port-access mac-based A23 auth-vid 110
aaa port-access mac-based A23 unauth-vid 130
aaa port-access mac-based A24 auth-vid 110
aaa port-access mac-based A24 unauth-vid 130
vlan 1
name "DEFAULT_VLAN"
no untagged A1-A2,A13-A24
untagged A3-A12,B1-B24,C1-C24,D1-D23,E1-E4,F1-F4,Trk1
no ip address
exit
vlan 110
name "Work"
untagged A1
tagged Trk1
ip address 192.168.2.3 255.255.255.0
ip helper-address 192.168.1.20
exit
vlan 120
name "Client"
untagged A2
tagged Trk1
ip address 192.168.3.3 255.255.255.0
ip helper-address 192.168.1.20
exit
vlan 130
name "Guest"
tagged Trk1
ip address 192.168.4.3 255.255.255.0
ip helper-address 192.168.1.20
exit
vlan 140
name "NPS"
untagged A13-A24
tagged Trk1
ip address 192.168.5.3 255.255.255.0
ip helper-address 192.168.1.20
exit
spanning-tree Trk1 priority 4
no spanning-tree bpdu-throttle

I have verified that the switch is communicating with the NPS server which in turn is using AD for authentication.

It doesn't seem to matter what I do all keep getting at the NPS server is authentication failed.

Currently I am just trying to get the computers to authenticate using its mac-address.  Can anyone provide a working config showing the setup for both the NPS server and the switch.  

This has been driving me crazy.  Most of the documentation that I find is out dated.  ie older versions of the procurve software and server 2003.   

I would appreciate any help.

Howdy,

This might take us a bit of q and a to get started...

Do you have all of the corporate devices registered in AD as username:password pairs of MAC:MAC ?

Have you considered running Wireshark on the NPS server? I have built 3 or 4 of these and seem to always end up doing packet analysis at the server end to work out what is going on. One window with the NPS event log and one with Wireshark works quite well.

I would strongly consider running dot1x over MAC for my corporate clients as MAC is really easy to spoof these days on all platforms. MAC is fine for an isolated printer or VoIP subnet without internet access but good practice if you have the capability in the Radius serve is to do protected EAP aka PEAP

There are some very good blogs and article on the subject I will dig a few out and post the links up.

If I get chance I will get a Procurve switch taking to NPS an post up the config.

Hope that gives you a start

Thanks

I have this setup in a test environment.   I think I read about 30 posts before I found one that said to the mac for both username and password.  I did that but I still don't authenticate.  Everything keeps failing and I can't tell why.  I have also ran wireshark on the NPS server as you mentioned but could not figure it out.   It just seems like the client keeps trying to authenticate, it fails on the NPS but the only information it tells me is that it is most likely a bad user/password pair.  I have redid the account numerous times with the same results.