Configuring Dynamic VLAN assignment on ProCurve switches

Configuring Dynamic VLAN assignment on ProCurve switches

Introduction

The information contained in this post describes how to configure an HP ProCurve switch and Windows 2008 R2 NPS RADIUS server to authorise and assign users dynamically into specific VLANs.

The switch used is an HP ProCurve model 2610-48 running firmware version R.11.72

Configure VLANs

Create VLANs, define IP address and IP helper-address

VLAN 30

name “VLAN30″

ip address 192.168.30.1 255.255.255.0

ip helper-address 192.168.20.20

VLAN 40

name “VLAN40″

ip address 192.168.40.1 255.255.255.0

ip helper-address 192.168.20.20

Configure RADIUS/802.1x

Define RADIUS server IP address and shared secret

radius-server host 192.168.20.20 key secret12

Configure 802.1x authentication type

aaa authentication port-access eap-radius

Configure ethernet ports 1-2 as authenticator ports

aaa port-access authenticator 1-2

Activates 802.1x port-access authentication on ports

aaa port-access authenticator active

Create Active Directory Groups

Authentication to the individual VLANs will be by Active Directory group membership for user or computer, therefore we need to create the appropriate the groups for use later in the NPS radius server policy.

Add a user to each of the groups

Windows 20008 R2 NPS (RADIUS) Configuration

Create an appropriately named NPS Policy to authorise users for each VLAN

Configure a “Condition” of Windows Group value of DOMAINNAME\GroupName

Configure the “Authentication Methods” as “Microsoft: Protected EAP (PEAP)”

Configure “RADIUS Attributes”

Tunnel-Medium-Type = 802

Tunnel-Pvt-Group-ID = VLAN Name or VLAN ID e.g “VLAN30″ or “30″

Tunnel-Type = Virtual LANs (VLAN)

Configure Windows 7 computer to authenticate

Open Windows services and change the startup type of the service “Wired AutoConfig” to Automatic. Click Start service

Open “Network and Sharing Center”. Click “Change adapter settings”

Click “Local Area Connection” > “Properties” > “Authentication”

Ensure “Enable IEEE 802.1x authentication” is ticked

Ensure “Microsoft: Protected EAP (PEAP)” is selected from the dropdown box. Click Settings

If the client computers do not have a trusted root certificate un-check the tick box “Validate server certificate”. If you do have an internal CA and all client computers have the root CA in the computer certificate store leave checked.

If the client computer is not joined to the domain and you wish to prompt for authentication, select “Configure” and un-check “Automatic use my Windows logon….”

The steps above can also be configured via Group Policy

Testing

Connect a computer to a port configured for authentication

If using a non-domain joined computer and you have previously un-checked the tick box “Automatic use my Windows logon….” a balloon will appear “Additional information is needed to connect to this network”. Click the balloon and enter your domain credentials.

If you are on a domain joined computer, the authentication will be transparent to the user (you will not see the prompt for authentication as above).

From the switch, the command “Show port-access authenticator” will display useful troubleshooting information

When a user account is a member of “VLAN30″ windows group, they will be authorised on the RADIUS server and the port will be dynamically assigned to VLAN 30.

If the user is successfully authenticated and is a member of “VLAN40″ group the port would be dynamically assigned to VLAN 40.

Страница 1

Configuring Dynamic VLAN assignment on ProCurve switches

Introduction

The information contained in this post describes how to configure an HP ProCurve switch and Windows 2008 R2 NPS RADIUS server to authorise and assign users dynamically into specific VLANs.

The switch used is an HP ProCurve model 2610-48 running firmware version R.11.72

Configure VLANs

Create VLANs, define IP address and IP helper-address

VLAN 30

name “VLAN30″

ip address 192.168.30.1 255.255.255.0

ip helper-address 192.168.20.20

VLAN 40

name “VLAN40″

ip address 192.168.40.1 255.255.255.0

ip helper-address 192.168.20.20

Configure RADIUS/802.1x

Define RADIUS server IP address and shared secret

radius-server host 192.168.20.20 key secret12

Configure 802.1x authentication type

aaa authentication port-access eap-radius

Configure ethernet ports 1-2 as authenticator ports

aaa port-access authenticator 1-2

Activates 802.1x port-access authentication on ports

aaa port-access authenticator active

Create Active Directory Groups

Authentication to the individual VLANs will be by Active Directory group membership for user or computer, therefore we need to create the appropriate the groups for use later in the NPS radius server policy.

Add a user to each of the groups

Windows 20008 R2 NPS (RADIUS) Configuration

Create an appropriately named NPS Policy to authorise users for each VLAN

Configure a “Condition” of Windows Group value of DOMAINNAME\GroupName

Configure the “Authentication Methods” as “Microsoft: Protected EAP (PEAP)”

Configure “RADIUS Attributes”

Tunnel-Medium-Type = 802

Tunnel-Pvt-Group-ID = VLAN Name or VLAN ID e.g “VLAN30″ or “30″

Tunnel-Type = Virtual LANs (VLAN)

Configure Windows 7 computer to authenticate

Open Windows services and change the startup type of the service “Wired AutoConfig” to Automatic. Click Start service

Open “Network and Sharing Center”. Click “Change adapter settings”

Click “Local Area Connection” > “Properties” > “Authentication”

Ensure “Enable IEEE 802.1x authentication” is ticked

Ensure “Microsoft: Protected EAP (PEAP)” is selected from the dropdown box. Click Settings

If the client computers do not have a trusted root certificate un-check the tick box “Validate server certificate”. If you do have an internal CA and all client computers have the root CA in the computer certificate store leave checked.

If the client computer is not joined to the domain and you wish to prompt for authentication, select “Configure” and un-check “Automatic use my Windows logon….”

The steps above can also be configured via Group Policy

Testing

Connect a computer to a port configured for authentication

If using a non-domain joined computer and you have previously un-checked the tick box “Automatic use my Windows logon….” a balloon will appear “Additional information is needed to connect to this network”. Click the balloon and enter your domain credentials.

If you are on a domain joined computer, the authentication will be transparent to the user (you will not see the prompt for authentication as above).

From the switch, the command “Show port-access authenticator” will display useful troubleshooting information

When a user account is a member of “VLAN30″ windows group, they will be authorised on the RADIUS server and the port will be dynamically assigned to VLAN 30.

If the user is successfully authenticated and is a member of “VLAN40″ group the port would be dynamically assigned to VLAN 40.

Реклама

Добавить комментарий

Заполните поля или щелкните по значку, чтобы оставить свой комментарий:

Логотип WordPress.com

Для комментария используется ваша учётная запись WordPress.com. Выход / Изменить )

Фотография Twitter

Для комментария используется ваша учётная запись Twitter. Выход / Изменить )

Фотография Facebook

Для комментария используется ваша учётная запись Facebook. Выход / Изменить )

Google+ photo

Для комментария используется ваша учётная запись Google+. Выход / Изменить )

Connecting to %s