802.1x Configuration + Wired Authentication

[mumer19]

Dear Experts
I am stuck in a scenario and need the support.

I want to authenticate my wired users via radius server (my radius server would be my Domain controller).
I'm using windows server 2016 Datacenter and NPAS & ADCS roles are installed on the server. My authenticator in this scenario is Alcatel switch OS6350 ( radius client).
I want my Active directory to authenticate the users via Alcatel Switch.

Below are the commands that i have configured on my switch.

1. vlan port mobile 1/1
2. vlan port 1/1 802.1x enable
3. aaa radius-server radiusservername host 192.168.101.1 key radiuskey
4. aaa authentication 802.1x radiusservername

Can any one explain the actual commands that supposed to be configure on radius client switch.
When i use :-show aaa authentication 802.1x)
I get some results like this:- 1st authentication server = myradiusservername

On this commands :- show radius-server "my radius server name"
I'm getting below results.
Server name = "my radius server name"
Server type = RADIUS,
IP Address 1 = 192.168.x.x,
Retry number = 3,
Time out (sec) = 2,
Authentication port = 1812,
Accounting port = 1813,
Nas port = default,
Nas port id = disable,
Nas port type = ethernet,
Mac Addr Format Status = disable,
Mac Address Format = uppercase,
Unique Acct Session Id = disable,
Health Check Status = DISABLED,
Server oper status = UNKNOWN,
Primary oper status = UNKNOWN,
Primary Server,
Server uptime = -,
Server downtime = -,
No of server up-down = 0,
No of server down-up = 0,
Polling interval = 50,
User name = alcatel,
Failover Status = DISABLED

Please identify, is there any problem in my switch configuration because user is unable to get authentication.

When i connect my user on a port where i have enabled 802.1x, machine gets an error on network adapter as "Authentication failed".
If connected machine is AD member the it gets such message. If the connected device is not the AD member then it get's the IP Address from the server but it does not has internet access.

[silvio]

You need an unp or vlan where the client (supplicant) can fall-in after successfull authentication.
Possibility 1 (w/o filter-id):

Code: Select all

> vlan 41 name Quarantain
> vlan 40 name Clients
> 802.1x 1/1 supplicant policy authentication pass vlan 40 fail vlan 41 block

or instead of vlan you can create an unp (map to a vlan/policies) and use this for the "pass".
Possibility 2 (with filter-id) - my prefered method:
create unp:

Code: Select all

> aaa user-network-profile name  „Client"  vlan 40 
> aaa user-network-profile name  „Guest“   vlan 41

And at the NPS add to your network-policy the filter-id (case sensitiv). You will find in the web guides for this.

Best regards
Silvio

[mumer19]

Dear @Silvio
Thank you for the immediate reply.
We have already mentioned the specific VLAN for the configuration in our separate Hardware Server 2016 while configuring NPS server.
Kindly guide the step by step configuration at our switch end OS6350 to achieve the task that we have requested by showing the drawings.

[silvio]

So I understand that your NPS policy send back the the vlan-id (not filder-id). If you have done this correct, than you don't need any special commands at the switch. The vlan has to be configured and tagged at the uplink.
Which attribute do you use for the vlan at the server: RFC 4675 (Tunnel-Private-Group-ID 81) or the vendor specific group-id?
Have you checked from the switch against the radius (aaa test-radius-server....)?
But again: I prefere to use filter-id with unp.

[mumer19]

Dear Silvio
Thanks for your reply.
If you prefer Filter-id with unp, than kindly guide the step by step procedure in configuring it so that I can achieve this task.

[silvio]

at the server site you will find answers in the web how to confifure the filter-id. At the switch site you only need to create a unp with the same name (case sensitive) like the filter-id.
best regards
Silvio