I have an isolated system that I am configuring 802.1x, NPS on Server 2016, with an Aruba 2530 switch.
The problem I'm having is when we move a computer with a certificate to a port that is 802.1x enabled, it gets moved to the unauth vlan and the switch reports that the authentication server is unreachable. It never gets moved to the authorized vlan.
Currently all the PCs are assigned static IPs. Switch is configured with an IP on the data network.
I'm having a hard time finding the exact flow of events that the authenticator process goes through.
Does the computer on the unauth vlan need to reach the NPS server or does the switch contact the NPS server? Does the computer need an IP on the unauth_vlan, then the unauth_vlan contacts the NPS server? Should DHCP be setup on both the vlans rather than static assignments?
Switch config:
radius-server host 10.10.10.222 key "themagicword" aaa authentication port-access eap-radius aaa port-access authenticator 1-4 aaa port-access authenticator 1 auth-vid 10 aaa port-access authenticator 1 unauth-vid 80 aaa port-access authenticator 2 auth-vid 10 aaa port-access authenticator 2 unauth-vid 80 aaa port-access authenticator 3 auth-vid 10 aaa port-access authenticator 3 unauth-vid 80 aaa port-access authenticator 4 auth-vid 10 aaa port-access authenticator 4 unauth-vid 80 aaa port-access authenticator active vlan 10 name "auth_vlan" ip address 10.10.10.11 255.255.255.0 untagged 1-24 exit vlan 80 name "unauth_vlan" no ip address exit
No comments:
Post a Comment