Network Management

Good afternoon everyone,

Let me explain my configuration :

MSchapV2 for the authentication, EAP-PEAP. So i want to authenticate users in a domain(or not for test purpose).
I put IMC on the DC windows ( there is no more specifications on IMC UAM E0403 for the fonctional forest 2003 or 2008).

Some steps :

I enabled with/without domain on NAC and / delimiters parameters.
I can export LDAP users to UAM
UAM EAP ROOT and SERV generated from AD CS
I can join Microsoft Client to a domain.

Topology :

ActiveDirectory-----IMC----NAC(A5120EI)-------EndUser(Linux-Windows-Mac)

• iMC PLAT 7.2 (E0403)
• IMC UAM 7.2 (E0403)
• Windows Server 2012 Standard ( Active Directory)
• CentOS 6.7 & MySQL5.1

Problem :

My 802.1X is working on Linux, there is no disconnection on link state.
On windows 8 and MacOS10.11, the 802.1X is disconnected after 3-5 seconds and tried to reconnect (not stable).
But there are no logs in the IMC's GUI cause all clients can reach the network though 802.1X.

I share you interesting debugs/traces.
(The StartChapV2JServer_2016-01-20.log shown the exemple of default configuration...)

Thanks for your time.

Attachment(s)

UAMLOG.txt   703 B 1 version

log-StartChapV2JServer.txt   703 B 1 version

log-mschapv2.txt   703 B 1 version

Can you share some screenshots or description of the options set in your Access Service, Access Policy, and maybe your LDAP sync policy as well? 

Hello,

I shared all the process.

The authentification still works for users, the NAC tells me the user of the domain is ok.
But I still have this issue on Windows and Mac.
I submit domain/user + password. the switch said ok, i have my dhcp pushed over 802.1x  and I can access to all the network, after 3-5 secondes Windows Network Manager change the message : Active Connection to Authentication attempt.

( I did not put more informations on the switch, i just pushed the AAA through the Access Device Management)

Can it be a certificate problem  ?

Thank you.

Reviewing your png's looks like you are using 7.2? I'm not there yet, looks like there are a few changes.

If you have used your AD's certs for root and server these should be good. Remember that these do not auto renew, so manually renew before they expire.

In 802.1x config on client make sure the client has the root cert checked as trusted CA OR uncheck the validate server certificate. If validate is checked and no cert = fail

I notice your max Bound & Online endpoints is set to 0 - that may NOT be unlimited, so try setting these at a value. I've posted my service and access policy settings from 7.1

Your LDAP settings look good.

On switch I did set other params for ports but the basic deploy should work. I'm using both MAC and 802 so I have service policy/service for each

Hello,

Thanks for your time.

I found my problem with Windows and Mac Machines.

On linux, the dot1x is stable.
But for Windows users i need  undo dot1x handshake  on my HP switch. Windows cant' handle connection more than 2 minutes. The message Media State still display Attempt if you do not put  undo dot1x handshake on the specific port.

Now, it works great GPO+802.1X+DC.