(RADIATOR) dot1x auth problems on HP switch

Hugh Irvine hugh at open.com.au
Fri Apr 25 16:59:11 CDT 2008 

Hello Alex -

I suspect incorrect shared secrets.

regards

Hugh


On 25 Apr 2008, at 21:34, Alex Sharaz wrote:

> As an update,
> Just pointed the switch at a Radiator-4.1 server and the Access- 
> Request shown below worked in that Radiator rejected the request  
> because we don’t allow hostbased authentication.
>
>
> Alex
>
>
> On 4/25/08 11:56 AM, "Alex Sharaz" <A.Sharaz at hull.ac.uk> wrote:
>
>> Chaps,
>> We’ve implemented wired 802.1x auth in one of our RESNET sites   
>> usin HP 3400 switches. This has been running since sept 2007  
>> without a problem.
>> I’m now rolling out wired dot1x in one of our PC rooms (HP 2900  
>> switch) .  Switch config wise there is no difference between the  
>> 3400 and the 2900 boxes.
>>
>> The problem is that the 3400 always works and the 2900 is  
>> generating the following in the Radiator logs:-
>>
>> Fri Apr 25 11:02:38 2008: DEBUG: Packet dump:
>> *** Received from 150.237.162.254 port 2440 ....
>> Code:       Access-Request
>> Identifier: 18
>> Authentic:  ]<163>!<25><130><191><185>R<245>]<240><9><232>l<132><143>
>> Attributes:
>>         Framed-MTU = 1466
>>         NAS-IP-Address = 150.237.162.254
>>         NAS-Identifier = "CC_PC2_HP2900-48"
>>         User-Name = "ccsas at hull.ac.uk"
>>         Service-Type = Framed-User
>>         Framed-Protocol = PPP
>>         NAS-Port = 30
>>         NAS-Port-Type = Ethernet
>>         NAS-Port-Id = "30"
>>         Called-Station-Id = "00-1c-2e-11-4b-40"
>>         Calling-Station-Id = "00-a0-d1-bc-29-de"
>>         Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex"
>>         Tunnel-Type = 0:VLAN
>>         Tunnel-Medium-Type = 0:802
>>         Tunnel-Private-Group-ID = 1620
>>         EAP-Message = <2><11><0><21><1>ccsas at hull.ac.uk
>>         Message-Authenticator =  
>> <244><176>q<184><226><241><240><25><246>#<143><225><199><210>M<254>
>>
>> Fri Apr 25 11:02:38 2008: WARNING: Bad EAP Message-Authenticator
>> Fri Apr 25 11:02:38 2008: WARNING: Bad authenticator in request  
>> from 150.237.162.254 (150.237.162.254)
>>
>> Can’t see anything wrong. The only difference seems to be in the  
>> Framed-MTU size
>>
>> An hp 3400 box generates this:-
>>
>> ri Apr 25 00:15:38 2008: DEBUG: Packet dump:
>> *** Received from 150.237.251.198 port 1024 ....
>> Code:       Access-Request
>> Identifier: 114
>> Authentic:  Z<182>&<237>.N<9>M6SU<173><177><194><220>u
>> Attributes:
>>         Framed-MTU = 1480
>>         NAS-IP-Address = 150.237.251.198
>>         NAS-Identifier = "TC2-Brantingham_HP3400"
>>         User-Name = "339804 at hull.ac.uk"
>>         Service-Type = Framed-User
>>         Framed-Protocol = PPP
>>         NAS-Port = 7
>>         NAS-Port-Type = Ethernet
>>         NAS-Port-Id = "7"
>>         Called-Station-Id = "00-12-79-49-7c-c0"
>>         Calling-Station-Id = "00-1b-24-48-65-60"
>>         Connect-Info = "CONNECT Ethernet 10Mbps Full duplex"
>>         Tunnel-Type = 0:VLAN
>>         Tunnel-Medium-Type = 0:802
>>         Tunnel-Private-Group-ID = 290
>>         EAP-Message = <2>?<0><22><1>339804 at hull.ac.uk
>>         Message-Authenticator =  
>> En<180><241><248>6<232><178><225><154><242><160>K,<238><204>
>>
>> Anyone using radiator with HP 2900 switches?
>>
>> I’m running radiator 4.2 with patch file 1.915
>>
>> Alex
>> ********************************************************************* 
>> ********************
>> To view the terms under which this email is distributed, please go  
>> to http://www.hull.ac.uk/legal/email_disclaimer.html
>> ********************************************************************* 
>> ********************
> ********************************************************************** 
> *******************
> To view the terms under which this email is distributed, please go  
> to http://www.hull.ac.uk/legal/email_disclaimer.html
> ********************************************************************** 
> *******************



NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/ 
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
Have you checked the RadiusExpert wiki:
http://www.open.com.au/wiki/index.php/Main_Page

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.



--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list