Comware

Hi,

I am trying to setup a 2650 switch to use mac-authentication to a radius server before allowing communication.

I have setup the switch and in the IAS logs I can see the authentication requests coming through.
They are all being rejected by IAS though.

I think my error is in setting up the authentication configuration in IAS.

Can someone give me any guides on how I can set it up? Has anyone done it before?

Thanks

Have a look through this thread.. .

http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=1110115

Thanks heaps!

It's working now!

I've run into a different issue now.

My understanding is that the switch sends the following information to the radius server

username: mac address
password: mac address

The issue is that I'm authenticating this against Active Direcotyr by using IAS. In our domain we have the password complexitiy group policy set. Hence we are unable to setup users in AD with the username and password being the same.

Is there a way we can configure the switch to send a different password to the radius for authentication?

Or alteratively if there is another way around this solution. We didn't want to go down the certificate path as yet as we are pushed for time.

Nikil

Did you have any luck with working thru this?

We have the same issue, we are using 802.1x for devices that support it, then falling back to mac address authentication for other devices (that have tighter controls via ACL's)

Cheers
David

Hi, I had to disable the "Password must meet complexity requirements" policy in "Domain Security Policy" and "Domain Controller Security Policy" to achieve MAC authentication.

Yeh, tested it like that, but is not an option - need to have the password complexity enabled for standard users.

Other devices allow you to use the radius secret as the device password when authenticating to the radius server, ideally this would be great!

Cheers
David

Hi David,

I did manage to get it working. I used a software package from specops software which allows multiple password policies for a single domain. This allowed me to leave the password complexity requirements policy for user accounts and then i created another policy for mac address accounts.

I recall reading a document somewhere which also said the switch can authenticate on behalf of the end device using the radius key but I never tried it.