niklasschaefer
Goto Top

Aruba Procurve 2920-48G Poe+ und 802.1X Radius Authenudentifzierung an Windows Server 2012R2

Hallo in die Runde,

ich stehe aktuell ein wenig auf dem Schlauch und benötige eure Hilfe. Habe hier ein Netzwerk aus 20 Aruba Procurve 2920 Switchen. 4x Backbone Switche sind HP Small Fabric 5700FF alle Switche sind per 10Gig angebunden.

Konfiguration von dem Procurve Switch:

WKH-SW6# display current
; J9729A Configuration Editor; Created on release #WB.16.05.0004
; Ver #12:08.15.9b.3f.b3.b8.ee.34.79.3c.29.eb.9f.fc.f3.ff.37.ef:4a

hostname "WKH-SW6"  
module 1 type j9729a
trunk 47-48 trk1 lacp
trunk 45-46 trk2 lacp
gvrp
radius-server host 10.30.20.20 key "******"  
timesync sntp
sntp unicast
sntp server priority 1 10.30.1.5
sntp server priority 2 10.30.20.10
time daylight-time-rule user-defined begin-date 04/01 end-date 10/01
time timezone 60
ip default-gateway 10.30.1.5
snmp-server community "public"  
snmp-server host 10.30.20.12 community "WKH-Monitoring" trap-level all  
snmp-server location "Lindenstr.3/Produktionshalle"  
aaa authentication port-access eap-radius
aaa port-access gvrp-vlans
aaa port-access authenticator 1-44
aaa port-access authenticator 1 auth-vid 1
aaa port-access authenticator 1 unauth-vid 222
aaa port-access authenticator 2 auth-vid 1
aaa port-access authenticator 2 unauth-vid 222
aaa port-access authenticator 3 auth-vid 1
aaa port-access authenticator 3 unauth-vid 222
aaa port-access authenticator 4 auth-vid 1
aaa port-access authenticator 4 unauth-vid 222
aaa port-access authenticator 5 auth-vid 1
aaa port-access authenticator 5 unauth-vid 222
aaa port-access authenticator 6 auth-vid 1
aaa port-access authenticator 6 unauth-vid 222
aaa port-access authenticator 7 auth-vid 1
aaa port-access authenticator 7 unauth-vid 222
aaa port-access authenticator 8 auth-vid 1
aaa port-access authenticator 8 unauth-vid 222
aaa port-access authenticator 9 auth-vid 1
aaa port-access authenticator 9 unauth-vid 222
aaa port-access authenticator 10 auth-vid 1
aaa port-access authenticator 10 unauth-vid 222
aaa port-access authenticator 11 auth-vid 1
aaa port-access authenticator 11 unauth-vid 222
aaa port-access authenticator 12 auth-vid 1
aaa port-access authenticator 12 unauth-vid 222
aaa port-access authenticator 13 auth-vid 1
aaa port-access authenticator 13 unauth-vid 222
aaa port-access authenticator 14 auth-vid 1
aaa port-access authenticator 14 unauth-vid 222
aaa port-access authenticator 15 auth-vid 1
aaa port-access authenticator 15 unauth-vid 222
aaa port-access authenticator 16 auth-vid 1
aaa port-access authenticator 16 unauth-vid 222
aaa port-access authenticator 17 auth-vid 1
aaa port-access authenticator 17 unauth-vid 222
aaa port-access authenticator 18 auth-vid 1
aaa port-access authenticator 18 unauth-vid 222
aaa port-access authenticator 19 auth-vid 1
aaa port-access authenticator 19 unauth-vid 222
aaa port-access authenticator 20 auth-vid 1
aaa port-access authenticator 20 unauth-vid 222
aaa port-access authenticator 21 auth-vid 1
aaa port-access authenticator 21 unauth-vid 222
aaa port-access authenticator 22 auth-vid 1
aaa port-access authenticator 22 unauth-vid 222
aaa port-access authenticator 23 auth-vid 1
aaa port-access authenticator 23 unauth-vid 222
aaa port-access authenticator 24 auth-vid 1
aaa port-access authenticator 24 unauth-vid 222
aaa port-access authenticator 25 auth-vid 1
aaa port-access authenticator 25 unauth-vid 222
aaa port-access authenticator 26 auth-vid 1
aaa port-access authenticator 26 unauth-vid 222
aaa port-access authenticator 27 auth-vid 1
aaa port-access authenticator 27 unauth-vid 222
aaa port-access authenticator 28 auth-vid 1
aaa port-access authenticator 28 unauth-vid 222
aaa port-access authenticator 29 auth-vid 1
aaa port-access authenticator 29 unauth-vid 222
aaa port-access authenticator 30 auth-vid 1
aaa port-access authenticator 30 unauth-vid 222
aaa port-access authenticator 31 auth-vid 1
aaa port-access authenticator 31 unauth-vid 222
aaa port-access authenticator 32 auth-vid 1
aaa port-access authenticator 32 unauth-vid 222
aaa port-access authenticator 33 auth-vid 1
aaa port-access authenticator 33 unauth-vid 222
aaa port-access authenticator 34 auth-vid 1
aaa port-access authenticator 34 unauth-vid 222
aaa port-access authenticator 35 auth-vid 1
aaa port-access authenticator 35 unauth-vid 222
aaa port-access authenticator 36 auth-vid 1
aaa port-access authenticator 36 unauth-vid 222
aaa port-access authenticator 37 auth-vid 1
aaa port-access authenticator 37 unauth-vid 222
aaa port-access authenticator 38 auth-vid 1
aaa port-access authenticator 38 unauth-vid 222
aaa port-access authenticator 39 auth-vid 1
aaa port-access authenticator 39 unauth-vid 222
aaa port-access authenticator 40 auth-vid 1
aaa port-access authenticator 40 unauth-vid 222
aaa port-access authenticator 41 auth-vid 1
aaa port-access authenticator 41 unauth-vid 222
aaa port-access authenticator 42 auth-vid 1
aaa port-access authenticator 42 unauth-vid 222
aaa port-access authenticator 43 auth-vid 1
aaa port-access authenticator 43 unauth-vid 222
aaa port-access authenticator 44 auth-vid 1
aaa port-access authenticator 44 unauth-vid 222
aaa port-access authenticator active
oobm
   ip address dhcp-bootp
   exit
vlan 1
   name "LAN-Intern"  
   no untagged 3
   untagged 2,4-44,Trk1-Trk2
   tagged 1
   ip address 10.30.3.6 255.255.0.0
   exit
vlan 10
   name "VLAN10"  
   tagged Trk1-Trk2
   no ip address
   exit
vlan 222
   name "BDT-Guest"  
   untagged 3
   tagged 1-2,4-44,Trk1-Trk2
   no ip address
   exit
vlan 223
   name "BDT-Service"  
   tagged Trk1-Trk2
   no ip address
   exit
vlan 224
   name "BDT-Soft"  
   tagged Trk1-Trk2
   no ip address
   exit
vlan 225
   name "BDT-Intern"  
   tagged Trk1-Trk2
   no ip address
   exit
spanning-tree
spanning-tree Trk1 priority 4
spanning-tree Trk2 priority 4
no tftp server
loop-protect 1-44
loop-protect disable-timer 30
no autorun
no dhcp config-file-update
no dhcp image-file-update
no dhcp tr69-acs-url
password manager

WKH-SW6#

Authenidentifizierung mit Gast-Rechnern funktioniert diese werden automatisch ins VLAN 222 gemappt. Mit Firmenrechnern funktioniert das Mapping ebenfalls auf das VLAN1. Jetzt haben wir aber benutzer für welches ein Ristriktiertes LAN gibt. Diverse Ports nach außen geöffnet aber keine Kommunikation nach innen. Hier zu habe ich im NPS zwei Regeln angelegt. Das alle Mitglieder welche in Gruppe VLAN224 sind und in der Computergruppe Domänencomputer sind das VLAN224 bekommen sollen.
2
So schaut die Regel aus auch in der Reihenfolge die erste das heißt sie sollte ja bevorzugt vorhanden sein. Alles andere wasnicht dieser Regel entspricht sollte in VLAN1 gemappt werden. Regel "VLAN1".
1
. Könnt ihr mir anhand der Screenshots sagen wo ich was verändern muss?

WKH-SW6# Show port-access authenticator

 Port Access Authenticator Status

  Port-access authenticator activated [No] : Yes
  Allow RADIUS-assigned dynamic (GVRP) VLANs [No] : Yes
  Dot1x2010 Mode [Disabled] : Disabled                Use LLDP data to authenticate [No] : No

        Auths/  Unauth  Untagged Tagged           % In  RADIUS Cntrl
  Port  Guests  Clients VLAN     VLANs  Port COS  Limit ACL    Dir   Port Mode
  ----- ------- ------- -------- ------ --------- ----- ------ ----- ----------
  1     0/0     0       None     No     No        No    No     both  1000FDx
  2     0/0     0       None     No     No        No    No     both  1000FDx
  3     1/0     0       1        No     No        No    No     both  1000FDx
  4     0/0     0       None     No     No        No    No     both  1000FDx
  5     0/0     0       None     No     No        No    No     both  1000FDx
  6     0/0     0       None     No     No        No    No     both  1000FDx
  7     0/0     0       None     No     No        No    No     both  1000FDx
  8     0/0     0       None     No     No        No    No     both  1000FDx
  9     0/0     0       None     No     No        No    No     both  1000FDx
  10    0/0     0       None     No     No        No    No     both  1000FDx
  11    0/0     0       None     No     No        No    No     both  1000FDx
  12    0/0     0       None     No     No        No    No     both  1000FDx
  13    0/0     0       None     No     No        No    No     both  1000FDx
  14    0/0     0       None     No     No        No    No     both  1000FDx
  15    0/0     0       None     No     No        No    No     both  1000FDx
  16    0/0     0       None     No     No        No    No     both  1000FDx
  17    0/0     0       None     No     No        No    No     both  1000FDx
  18    0/0     0       None     No     No        No    No     both  1000FDx
  19    0/0     0       None     No     No        No    No     both  1000FDx
  20    0/0     0       None     No     No        No    No     both  1000FDx
  21    0/0     0       None     No     No        No    No     both  1000FDx
  22    0/0     0       None     No     No        No    No     both  1000FDx
  23    0/0     0       None     No     No        No    No     both  1000FDx
  24    0/0     0       None     No     No        No    No     both  1000FDx
  25    0/0     0       None     No     No        No    No     both  1000FDx
  26    0/0     0       None     No     No        No    No     both  1000FDx
  27    0/0     0       None     No     No        No    No     both  1000FDx
  28    0/0     0       None     No     No        No    No     both  1000FDx
  29    0/0     0       None     No     No        No    No     both  1000FDx
  30    0/0     0       None     No     No        No    No     both  1000FDx
  31    0/0     0       None     No     No        No    No     both  1000FDx
  32    0/0     0       None     No     No        No    No     both  1000FDx
  33    0/0     0       None     No     No        No    No     both  1000FDx
  34    0/0     0       None     No     No        No    No     both  1000FDx
  35    0/0     0       None     No     No        No    No     both  1000FDx
  36    0/0     0       None     No     No        No    No     both  1000FDx
  37    0/0     0       None     No     No        No    No     both  1000FDx
  38    0/0     0       None     No     No        No    No     both  1000FDx
  39    0/0     0       None     No     No        No    No     both  1000FDx
  40    0/0     0       None     No     No        No    No     both  1000FDx
  41    0/0     0       None     No     No        No    No     both  1000FDx
  42    0/0     0       None     No     No        No    No     both  1000FDx
  43    0/0     0       None     No     No        No    No     both  1000FDx
  44    0/0     0       None     No     No        No    No     both  1000FDx
Wenn ihr weitere Infos zum Troubleshooten benötigt sagt bescheid diese werde ich dann nachreichen.

Gruß und Danke

Niklas

Content-Key: 367752

Url: https://administrator.de/contentid/367752

Printed on: July 21, 2024 at 08:07 o'clock