Comware

Hello everyone,

we're evaluating migration to 802.1X port access.

Authentication with supplicants and RADIUS host on same/CORE-switch works. So far so good..

When using an EDGE-switch (not directly connected to RADIUS host; also usually configured for RADIUS-host), the RADIUS-communication is incomplete:
Access request (switch) -> Access challenge (RADIUS) -> Access Request#2 (switch) -> Fragmented IP Protocol (RADIUS)

Tried different configuration-settings and manual-hints now, without success. Im stuck.

Any ideas?

Best regards

each switch port able 32 client 802.1x authentication so each 24 port switch (non802.1x confuration)must connect to core switch
possible one radius client(authenticator)with core switch

but*******unadvisable this configuration method
because
network authentication and authorization process must be proximate switch point (edge switch) when I make 802.1x config usually use for authenticator edge switch petty edge switch bucause all end user must connect on edge switch core switch usually for server and other switch connection
my advice you can make traditional 802.1x confuration

http://forums13.itrc.hp.com/service/forums/questionanswer.do?threadId=1230638

simple 802.1x &dynamic vlan config

Which switch model are your edge switches? Make sure your firmware is up to date. Also if you have jumbo frames enabled (2900 or 3500 maybe) try disabling it. I worked on an issue in the past with jumbo frames causing a similar issue and it has been resolved in the latest firmware releases.

Thanks a lot for your ideas an experiences!

I will try them asap, now after the holidays.

Best regards

By the way..we're using HP2848 or/and 3400cl as EDGE-Switches.

Tried the vlan configuration posted with the same result -> interrupt in communication.

I looked at the data that is sent with the Fragmented IP Protocol paket.. seems like it contains the RADIUS-ceritifcate.

Anyone got an idea, why this RADIUS-paket is invalid when sended to/over another switch?

Thanks in advance!

Config-example:

interface 4
no lacp
exit
aaa authentication port-access eap-radius
radius-server host 192.168.1.x key x
aaa port-access authenticator 4
aaa port-access authenticator active

Used: PEAP-MS-CHAP v2

To Dear Matt Hobbs ,

what is your new email address ? could you send me a test email to ray.ma7@gmail.com :)

Thanks

not familar with your software. (Fragmented IP Protocol )

but i need to point out something.
1,need the port for radius authentication.

for example.
aaa authentication port-access chap-radius
radius-server key 1234
radius-server host 192.168.1.100 key 1234
aaa port-access authenticator 12
aaa port-access authenticator 12 control authorized
aaa port-access authenticator active

this is used the default radius port. if your radius server used other port, please changed it.

verify using show radius command
default UDP port is 1813, this can be changed using:
radius-server host <IP address=""> acct-port <UDP>



2, for EAP radius, what type EAP portol you want to used? if for EAP-MD5 it should be ok.

if used EAP-PEAP or EAP-fast or EAP-TTLS you all need the CA for certificate(root certificate)

that what i am understanding, i used to config the Wi-Fi with EAP-TTLS, EAP-Fast, EAP-PEAP, for switch side, i tested the chap-radius and EAP-radius for (MD-challenge).


</UDP></IP>

sorry, check your message again. looks like there is some 802.1x authentication through out issue.

What about your edge switch ? from your core switch you setup the radius authentication but not for your edge switch ? right ?

for my experience, if i was you, i will setup the radius authentication in edge switch.

and do we have the similar command like cisco

ip radius source-interface Vlan2002 ?
have a try.