Introduction
The information contained in this post describes how to configure an HP ProCurve switch and Windows 2008 R2 NPS RADIUS server to authorise and assign users dynamically into specific VLANs.
The switch used is an HP ProCurve model 2610-48 running firmware version R.11.72
Configure VLANs
Create VLANs, define IP address and IP helper-address
VLAN 30
name “VLAN30”
ip address 192.168.30.1 255.255.255.0
ip helper-address 192.168.20.20
VLAN 40
name “VLAN40”
ip address 192.168.40.1 255.255.255.0
ip helper-address 192.168.20.20
Configure RADIUS/802.1x
Define RADIUS server IP address and shared secret
radius-server host 192.168.20.20 key secret12
Configure 802.1x authentication type
aaa authentication port-access eap-radius
Configure ethernet ports 1-2 as authenticator ports
aaa port-access authenticator 1-2
Activates 802.1x port-access authentication on ports
aaa port-access authenticator active
Create Active Directory Groups
Authentication to the individual VLANs will be by Active Directory group membership for user or computer, therefore we need to create the appropriate the groups for use later in the NPS radius server policy.
Add a user to each of the groups
Windows 20008 R2 NPS (RADIUS) Configuration
Create an appropriately named NPS Policy to authorise users for each VLAN
Configure a “Condition” of Windows Group value of DOMAINNAME\GroupName
Configure the “Authentication Methods” as “Microsoft: Protected EAP (PEAP)”
Configure “RADIUS Attributes”
Tunnel-Medium-Type = 802
Tunnel-Pvt-Group-ID = VLAN Name or VLAN ID e.g “VLAN30” or “30”
Tunnel-Type = Virtual LANs (VLAN)
Configure Windows 7 computer to authenticate
Open Windows services and change the startup type of the service “Wired AutoConfig” to Automatic. Click Start service
Open “Network and Sharing Center”. Click “Change adapter settings”
Click “Local Area Connection” > “Properties” > “Authentication”
Ensure “Enable IEEE 802.1x authentication” is ticked
Ensure “Microsoft: Protected EAP (PEAP)” is selected from the dropdown box. Click Settings
If the client computers do not have a trusted root certificate un-check the tick box “Validate server certificate”. If you do have an internal CA and all client computers have the root CA in the computer certificate store leave checked.
If the client computer is not joined to the domain and you wish to prompt for authentication, select “Configure” and un-check “Automatic use my Windows logon….”
The steps above can also be configured via Group Policy
Testing
Connect a computer to a port configured for authentication
If using a non-domain joined computer and you have previously un-checked the tick box “Automatic use my Windows logon….” a balloon will appear “Additional information is needed to connect to this network”. Click the balloon and enter your domain credentials.
If you are on a domain joined computer, the authentication will be transparent to the user (you will not see the prompt for authentication as above).
From the switch, the command “Show port-access authenticator” will display useful troubleshooting information
When a user account is a member of “VLAN30” windows group, they will be authorised on the RADIUS server and the port will be dynamically assigned to VLAN 30.
If the user is successfully authenticated and is a member of “VLAN40” group the port would be dynamically assigned to VLAN 40.
