Mac Authentication Bypass (MAB) on HP Procurve 2600

For my thesis I did a little research on Network Access Control and the possibilities. This research was focused on the environment of the company I work for, this means I included both Cisco and HP switches in my research. After this research I build a test environment to test the authentication mechanisms 802.1x, MAB and web authentication.

With Cisco everything was working flawless, but I also wanted a sort of MAB authentication on the HP switches, unfortunately HP doesn’t speak MAB. So after some puzzling I found a work around which is close enough to MAB.

Normally you can only use 802.1x or MAC Authentication on a HP Procurve switch (2600). To work around this problem HP included a feature, so called Client Based Network Authentication. This feature is initially created to make it possible to authenticate devices which are connected to a HUB on the switchport. It is possible that devices connected to the HUB require different authentication mechanisms, so this gives the opportunity to allow MAC and 802.1x authentication on the same port. When we switch to Client Based Network Authentication and we set the allowed clients to 1, it is possible to let the client choose which authentication is going to be used.

image

The figure above shows how it schematically works, the HUB is just virtual and used as example. To let this work you only need to configure the client limit.

aaa port-access authenticator 1-48
aaa port-access authenticator 1 client-limit 1
aaa port-access authenticator 2 client-limit 1
aaa port-access authenticator 3 client-limit 1

aaa port-access authenticator active
aaa port-access mac-based 1-48
aaa port-access 1-48
vlan 31
name “MACAuth_Vlan”
tagged 49,50
exit

Facebooktwittergoogle_plusredditpinterestlinkedinmailby feather

19 thoughts on “Mac Authentication Bypass (MAB) on HP Procurve 2600

  1. Great thanks can saw your post on this.
    I am working this in lab environment, with Cisco3750+NPS+AD/DC/DHCP+CA, at present, encounter the problem when I try to fufill 802.1x+MAB+NPS.
    Would you please share your how to configure in NPS to achieve MAB function.
    Thanks!
    –Scott

  2. @Scott
    Hi Scott,
    Can you make your question a bit more concrete?
    If you want to use MAB + Cisco + NPS(AD), you first need to create AD accounts, which match the MAC address (username AND password). Make sure the accounts aren’t a member of “Domain users”, give them instead a separate group. In NPS you create a rule which allows access to “users” in this group.
    If MAB is enabled on the Cisco, it will (in the most common setup) try 802.1x if this fails the switch sends the MAC address as user/pass to the NPS server. This will check if the MAC is a member of the allowed group and if it is it will respond with “Access granted”.

    Hopefully this is any helpfull if you have further questions, don’t hesitate to contact me.

    Grtz,
    Rob

  3. Hi Rob,
    Thanks for your reply. what I have tested are:
    1. At windows 2008 R2 server side
    Create the OU and User Group, Register the user, and use MAC Address(002622C995FA) as the user name and password, at the stage, I use the fine grained password function in windows 2008 r2 ad, then can achieve the simple password policy.
    2. At NPS server side
    I Created the connection request policy and network policy, which assign wired connection.
    3. At Cisco Switch
    I enabled the function 802.1x and MBA function.
    And at present, 802.1x works fine to authenticate either domain users or computers, but when I try to let the NPS to authenticate the MAC address, like network printer, I always get the error: Network Policy Server denied access to a user, and the reason code is 65 or 66 in the log of NPS. seems that NPS can’t authenticate the MAC address user at PAP type.

    So would you please advise more on NPS setting?
    Thanks a lot!

    –Scott

  4. Hi Rob,

    Thanks a lot! I am sorry I have 7days holiday, after that, I will go on testing in.
    Any process will let you know in time.

    —Scott

  5. @Rob

    Hi ROB,

    i gone through your post. I am a new in HP Sw world. i need to implement dot1x authentication in our network. we have HP ProCurve 2610POE switches.

    We have 1 Voip Vlan which i statically mapped on the ports. we need to assign the specific data Vlan dynamically to a specific users while its authentication through NPS. Can you help me on this with Sample Configurations.

    One thing more i don’t want Voip communication to be authenticated. means no authentication on Voip VLAN. because our IP Phones are not cabable of dot1x authentication.

    waiting for your favorable reply

    MMB

  6. @Mujtaba Bashir
    Hi Mujtaba,

    It seems you’re on the right way.
    If you enable both MAC & Dot1X authentication as shown in the post above you can authenticated the IP phones through MAC address and they will stick in the default vlan, which you already assigned to the ports.
    In the NPS rule for Dot1x authentication you need to add 3 extra parameters which will switch the vlan for the user, these are;
    – Tunnel-Medium-Type -> 802 (includes all 802 media plus Ethernet canonical format)
    – Tunnel-Pvt-Group-ID -> xx
    – Tunnel-Type -> Virtual LANs (VLAN)

    Change xx to the appropriate vlan id.

    Don’t forget to add the MAC addresses to the AD, so the NPS can perform MAC authentication. (it is wise to delete these MAC Address acounts from the domain user group)

    Please let me know it this is any helpfull to you and don’t hestitate to contact me again!

  7. @BlackBurn
    Hi BlackBurn,
    Thanks for your kindly and informative reply. As i already mentioned i am new in NPS and HP world. So, please guide me the NPS configurations also.

    –MMB

  8. @Mujtaba Bashir
    First of all you need to add the switch to the device list of NPS. So the Radius server will accept incoming request from the device.

    Then you have three kind of policies within NPS.
    Connection Request Policies -> I made a rule here which accept all the requests with a specific NAS_Identifier.
    Network Policies -> Here I made the “dynamic” vlan rules, if users are member of a specific AD group then the vlan is changed (or they get only a connection), see my previous reply. Be aware that these rules are handled from top to down, and when it hit a rule it will stop.
    The last polciy group are health policies, for the above example you don’t have to make any policies in here.

    If you use Server 2008 R2, the logging within the event viewer is pretty descent, in Server 2008 it is a bit hard to gain good logging.

  9. @BlackBurn
    Hi BlackBurn,
    i am getting stuck in a scanerio which stopped our deployment.

    My IPPhone is connected to HP Procurve PoE 2610 and my Laptop is connected with IP Phone (HP Procurve Switch -> IP Phone -> Laptop) in this scenario dot1x authentication is not working/sucessful i am attaching my Switch configuration here please go through it and suggest how i will achieve it. VLAN 25 is the Voice VLAN.

    IP Phone is not Capable of dot1x authentication.

    vlan 1
    name “DEFAULT_VLAN”
    untagged 1-28
    ip address 10.10.10.10 255.255.255.0
    exit
    vlan 25
    name “VLAN25”
    tagged 1-10
    voice
    exit
    vlan 2
    name “test”
    exit
    vlan 3
    name “VLAN3”
    exit
    aaa authentication port-access eap-radius
    radius-server host 1.1.1.1 key 1234567890
    aaa port-access authenticator 1-3
    aaa port-access authenticator 1 client-limit 2
    aaa port-access authenticator 2 client-limit 2
    aaa port-access authenticator 3 client-limit 2
    aaa port-access authenticator active
    aaa port-access mac-based 1-3
    aaa port-access 1-3
    spanning-tree

  10. Hi MMB

    I have the same problem you posted. My Ip phone is Mitel and the switch is HP Procurve 2610.
    I can’t validate the mac address. My configuration on switch is the same you posted. I think the problem is on NPS, did you resolved the problem?, Would you help me, please ?
    Thankyou

  11. Hi BlackBurn

    As I posted, we have the same problem MMB wrote. Reading the indications you give MMB, I don’t understand how configure NPS (in details). I need the help, please.

  12. @VLZ
    You said, you think the problem is on the NPS. In this case the first step I should take is take a look at your NPS Server security log (event viewer) and check if you see any message about devices trying to authenticate.

    If you don’t see these logs, the switch probably isn’t communicating with the NPS server, otherwise you can see in the log why the authentication or authorization has failed.

    edit: Little note, if I’m correct the logging in Windows 2008 is turned off by default. In 2008 R2 the logging is on.

  13. Thankyou for the contact.

    Well, HP sw 2610 is connected to NPS, as you said on the Event View there are the events and on the logs of NPS there are too the events strings. In Event View events there is indicated the identification stations of calls with the mac address of both the PC or ip phone and the sw one, the indications are this
    ***********************************************************************
    (I translate from Italian)Impossible Authentication using CHAP. Does’t exist the password with reversible cryptography, for this user account. You most be sure there are the enable the policy on the domain controller or for the user account password.
    ***********************************************************************

    I think the problems is on GPO, but although I want to take control of users by username/pasw for now I want take control usign mac address, acording to the configuration of sw and string aaa port-access mac-based

    Any help, please. THANKYOU

  14. Hi BlackBurn

    I resolve the problem with CHAP, but now when I post the username/password on client the NPS send me “The supplied message is incomplete. The signature was not verified.”
    Any help

  15. There is something I don’t understand in this post: I don’t see that 802.1x is activated anywhere. To get BOTH mac and 802.1x authentication on one port, I’d expect to also see lines like:

    # aaa authentication port-access eap-radius
    # aaa port-access authenticator 1-48

    They are not in your cli sample.

    Are you expecting the 802.1x to be configured beforehand, and are your cli lines to be added afterwards?

    I’m trying to put your config on a procurve 5400, I guess it should be able to do this as well?

  16. Hi Rob,

    Any suggestion on the following problem:
    USB Laptopdocking with own macaddress connected through a Mitel ip phone to a procurve switch.
    We use radius authentication with a certificate to allow the PC to connect when using the dock. Up to now no problem.

    After a known laptop is connected to the LAN we disconnect the usb dock and connect it to a unknown laptop within 5 minutes.
    The second laptop is now connected to the lan without a certificate.

    The Mitel phone keeps the port opened on the switch so no reauthentication is done. If we connect the docking without a Mitel phone the port is closed so it needs to reauthenticate.
    Setting a reauthentication time out on radius is a workaround for it but it is not a solution for this. Am I missing a setting on the procurve or is this the only option?

    • Unfortunately I have no access to Procurve switches anymore and therefore it is hard to help. Although I think reauthentication is the best way to go here, since the phone will otherwise keep the connection open. Another option is doing something with user-id on the serverside, although it means devices will have LAN connectivity.

Leave a Reply

Your email address will not be published. Required fields are marked *

*