HP
From FreeRADIUS Wiki
Contents |
NAS Behaviour - 2524 /2510 series /2600 series /5300 series
802.1x Port Authentication (EAP)
When a user connects to an 802.1x port, the switch will first block all non 802.1x traffic; or if a openVLAN is configured, the switch will change the VLAN membership of the port to the unauthorised VLAN. The switch will then issue a client identification request using EAPOL (EAP identity request). If the supplicant is 802.1x enabled it will respond with the authenticating users ID (EAP identity response). If the supplicant is not 802.1x enabled, the port will stay a member of the unauthorised VLAN, or the port will remain blocked.
The EAP indentity reponse will be combined with attributes describing the port the supplicant has connected to along with attributes describing the various characteristics of the NAS, and a Request packet will be sent to the RADIUS server.
Example:
Framed-MTU = 1480
NAS-IP-Address = 192.168.0.1
NAS-Identifier = "hp-e-its-dev8021x-sw1"
User-Name = "user"
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 2
NAS-Port-Type = Ethernet
NAS-Port-Id = "2"
Called-Station-Id = "00-14-38-fb-94-3e"
Calling-Station-Id = "00-18-8b-1f-ea-c3"
Connect-Info = "CONNECT Ethernet 100Mbps Full duplex"
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "700"
EAP-Message = 0x0201000a016163323231
Message-Authenticator = 0x5128a826dfedf51040215eb6fef398df
Standard EAP based authentication will then take place, until the RADIUS server issues either an Access-Accept or an Access-Reject packet.
On Access-Reject, the switch will either change the VLAN membership of that port to the Unauthorised VLAN, or block access on that port.
On Access-Accept, the switch will read the Access-Accept packet and will configure port VLAN membership based on the following attributes.
- Tunnel-Type → Type of tunnel, switch expects VLAN (13).
- Tunnel-Medium-Type → Medium, switch expects IEEE-802 (6).
- Tunnel-Private-Group-ID → Vlan ID, switch expects any configured (or learned if using GVRP) VLAN.
If the specified group ID matches a VLAN configured on the switch, the switch will alter VLAN membership of the port the supplicant is connected to for the length of the session. On session termination, the ports VLAN membership will revert back to it's statically assigned vlan.
If the specified group ID does not much a configured or learned VLAN authentication will fail.
Administrative Interface Authentication
On most HP Procurve switches there are two levels of authorised access, ‘Operator’ access and ‘Manager’ access.
- Operator access allows the user to view most of the vital stats of the switch, but will not allow them to make any potentially dangerous changes.
- Manager access allows full access to the switch.
When a user attempts to authenticate, the users password is encrypted (using a shared secret between the NAS and RADIUS server) and sent in an access request packet as the User-Password attribute. The username is sent as the User-Name attribute, along with a desired Service-Type. These switches only support PAP for authentication on management interfaces.
Example (Operator):
User-Name = "user"
User-Password = "pasphrase"
NAS-IP-Address = 192.168.0.1
NAS-Identifier = "hp-e-its-dev8021x-sw1"
NAS-Port-Type = Virtual
Service-Type = NAS-Prompt-User
Example (Manager):
User-Name = "user"
User-Password = "pasphrase"
NAS-IP-Address = 192.168.0.1
NAS-Identifier = "hp-e-its-dev8021x-sw1"
NAS-Port-Type = Virtual
Service-Type = Administrative-User
Typically the request Service-Type will be NAS-Prompt-User, however if the user either demotes themselves by exiting the administrative session, and tries to escalate themselves to manager; or logs in as an operator and tries to escalate to manager; the switch will send Administrative as the requested Service-Type.
The RADIUS server will then authenticate the user and respond with either an Access-Accept or Access-Reject packet. For authentication to succeed, Access-Accept packets must also contain a Service-Type attribute, corresponding to the desired privilege level.
- Operator → 7 → NAS-Prompt-User → The user should be provided a command prompt on the NAS from which non-privileged commands can be executed.
- Manager → 6 → Administrative-User→The user should be granted access to the administrative interface to the NAS from which privileged commands can be executed.
- No Access/Access reject → Omit Service-Type/Access reject.
This works only when switch is configured with: "aaa authentication login privilege-mode" (privilege-mode feature not included in the 2524 series).
Configuration - 2524 /2510 series /2600 series /5300 series
You must have manager access on the target switch and have entered configuration mode to run the following commands.
Add servers
radius-server host <Server ip 1> auth-port 1812 acct-port 1813 radius-server host <Server ip 2> auth-port 1812 acct-port 1813
Set Server Parameters
radius-server key <Unique Key>
Enable RADIUS Authentication on administrative interfaces
aaa authentication ssh login radius local aaa authentication ssh enable radius local aaa authentication console login radius local aaa authentication console enable radius local aaa authentication login privilege-mode
Enable RADIUS Authentication on selected ports
aaa authentication port-access eap-radius aaa port-access authenticator <Port range> aaa port-access authenticator <Port range> control auto aaa port-access authenticator <Port range> unauth-vid <Unauth VID> aaa port-access authenticator active
Enable MAC Based RADIUS Authentication on selected ports
aaa port-access mac-based <Port range> aaa port-access mac-based <Port range> unauth-vid <Unauth VID>
Enable Accounting
aaa accounting exec start-stop radius aaa accounting network start-stop radius aaa accounting system start-stop radius aaa accounting update periodic 15
Configuration - WAP 530
You must have manager access on the target ap and have entered configuration mode to run the following commands.
Create WPA/WPA2 TKIP/AES 802.1x Authenticated WLAN
radio 1 wlan <wlan_index> ssid <desired_ssid> description "802.1x auth wpa/wpa2 tkip BSSID." security wpa-8021x wpa-allowed wpa-cipher-aes wpa-cipher-tkip wpa2-allowed rsn-preauthentication radius primary key <shared_secret> radius primary ip <radius_server_ip1> radius primary port 1812 radius secondary key <shared_secret> radius secondary ip <radius_server_ip2> radius secondary port 1812 radius-accounting primary key <shared_secret> radius-accounting primary ip <radius_server_ip1> radius-accounting primary port 1813 radius-accounting secondary key <shared_secret> radius-accounting secondary ip <radius_server_ip2> radius-accounting secondary port 1813 enable exit exit
Known Issues
HP 2600 Series and other parallel switch series
Issues in F/W Revision H.10.50
- When Mac-Based authentication and EAP-Based authentication are both enabled, and the supplicant is authenticated by MAC-Address, then attempts authentication via EAP; the switch will ignore any 'Access-Accept' packets sent by the RADIUS server, and instead formulate it's own EAP-Failure packet and send it to the supplicant.
- If a Reply-Message attribute is included in the RADIUS Access-Accept packet, the switch will encapsulate this in an EAP-Notification message, and send it *after* the EAP-Success Message. This causes some supplicants (namely wpa_supplicant) to re-authenticate periodically.
HP 530 Wireless Access points
Issues in F/W Revision 1.19 / 1.24
- User-Name handling in accounting request packets, while not technically incorrect, is wrong in the context of user management. RFC 2865 states (for IETF Attribute 1, User-Name) 'It MAY be sent in an Access-Accept packet, in which case the client SHOULD use the name returned in the Access-Accept packet in all Accounting-Request packets for this session.' The access point does *not* use the User-Name returned in the access accept for subsequent accounting request packets. This makes account records pretty useless for Quota Management and accounting in general
- Fixed in WA 2.10
- VLANS assigned statically to a BSSID, cannot then be assigned dynamically on an 802.1x authenticated BSSID. If one is assigned, no traffic will sent onto the assigned VLAN, and the station will be effectively isolated from the network.
- Appears fixed in WA 2.10
- Switching BSSIDS (transient fault) If a user authenticates successfully to one BSSID then reauthenticates to another, no stop packet is generated for the original session. When a user disassociates from the access point, an accounting stop packet is sent for the original session ID but not the new session ID. This is a transient fault, it can be reproduced it just takes a while.
- Appears fixed in WA 2.10
- Reporting of data transfered (with RADIUS accounting) is random. Most wireless stations will have no data transfer logged against their session.
- Appears fixed in WA 2.10
- With RADIUS authenticated BSSIDS, if in the webgui both radius servers are configured and the 'fail over to local' option is ticked.On restarting the Access point, it will send all request and accounting packets, to the defined RADIUS servers, with IETF Attribute 4 (NAS-IP-Address) set to '127.0.0.1'.
- Fixed in WA 2.10
Issues in F/W Revision 2.10
- Access points may fail to register 'Accounting Response' packets from the RADIUS server, and respond with an ICMP port unreachable message. With multiple access points under heavy load, this has the potential to overwhelm accounting servers and databases. Not Fixed in WA 2.15
- Access points may not respect VLAN assignment when performing MAC based authentication.
- Users may experience crashes and other seemingly random issues when using a config built on F/W 1.* with F/W 2.10. It's probably a good idea to rebuild the configuration manually on an AP running 2.10.
Windows Vista (With wired infrastructure switches)
- There is an issue with H.10.45 and earlier firmware, where the switch will not initialise the port access authenticator correctly when equipment running Windows Vista is connected. Instead of changing the ports VLAN membership to the unauthorised VLAN, the port will remain blocked.
- The work around for this is to set the 802.1x client-limit on the port to >= 2.