Below are configuration steps and template to enable 802.1x on HP Comware switches.
Step 1: Configure RADIUS Scheme
radius scheme <radius_servers_scheme>
# Configure Primary RADIUS Server with key
primary authentication <primary_radius_server_ip> key <radius_key>
# Optional accounting
primary accounting <primary_radius_server_ip> key <radius_key>
# Configure Secondary RADIUS Server with key (if available)
secondary authentication <secondary_radius_server_ip> key <radius_key>
# Optional accounting
secondary accounting <secondary_radius_server_ip> key <radius_key>
# Usernames submitted are stripped of domain
user-name-format without-domain
# NAS Source IP should be similar with client IP configured in RADIUS server
nas-ip <device_source_ip>
quit
# Recommend to use corporate domain (i.e. corporate.com)
domain <corporate_domain>
# Configure LAN wired access authentication/authorization
authentication lan-access radius-scheme <radius_servers_scheme>
authorization lan-access radius-scheme <radius_servers_scheme>
quit
# Option 1: Configure 802.1x globally on the switch
dot1x
# Option 2: If switch will use combination of port-security, 802.1x and mac-authentication,
# configure port-security globally and enable 802.1x per switchport.
port-security enable
# 802.1x authentication - used EAP with Microsoft NPS
dot1x authentication-method eap
# 802.1x authentication retries
dot1x retry 3
# Timers which helps limit/increase 802.1x packets/heartbeats/noise between
# clients, switch and RADIUS servers. Fine tune these accordingly
dot1x timer handshake-period 30
dot1x timer tx-period 30
dot1x quiet-period
dot1x timer quiet-period 30
# Note: Some Comware 5.2 switches do not support "interface range" command
# which makes it challenging to configure multiple interfaces.
interface GigabitEthernetx/x/x
description # 802.1x port #
# port configured as Edge port (1 device only)
stp edged-port enable
# Configure Access VLAN where authenticated devices are set
port access vlan <access_vlan>
##### If Option 1 is selected
dot1x
##### If Option 2 is selected
port-security port-mode userlogin
# Configure authentication domain
dot1x mandatory-domain <corporate_domain>
# Disable handshake necessary for Windows clients
undo dot1x handshake
# If Guest VLAN and Critical VLAN are required, below are recommended settings
dot1x multicast-trigger
dot1x guest-vlan <guest_vlan>
dot1x auth-fail vlan <critical_vlan>
dot1x critical vlan <critical_vlan>
dot1x critical recovery-action reinitialize
#
quit
<CORPORATE-SWITCH>display dot1x interface GigabitEthernet1/0/1
Equipment 802.1X protocol is enabled
EAP authentication is enabled
EAD quick deploy is disabled
Configuration: Transmit Period 30 s, Handshake Period 30 s
Quiet Period 30 s, Quiet Period Timer is enabled
Supp Timeout 30 s, Server Timeout 100 s
Reauth Period 3600 s
The maximal retransmitting times 3
EAD quick deploy configuration:
EAD timeout: 30 m
The maximum 802.1X user resource number is 1024 per slot
Total current used 802.1X resource number is 5
GigabitEthernet1/0/11 is link-up
802.1X protocol is enabled
Handshake is disabled
Handshake secure is disabled
802.1X unicast-trigger is disabled
802.1X user-ip freeze is disabled
Periodic reauthentication is disabled
The port is an authenticator
Authentication Mode is Auto
Port Control Type is Port-based
802.1X Multicast-trigger is enabled
Mandatory authentication domain: corporate.com
Guest VLAN: 2007
Auth-Fail VLAN: 2009
Critical VLAN: 2009
Critical recovery-action: reinitialize
Voice VLAN: NOT configured
Max number of on-line users is 256
EAPOL Packet: Tx 36385, Rx 144
Sent EAP Request/Identity Packets : 36254
EAP Request/Challenge Packets: 0
EAP Success Packets: 14, Fail Packets: 1
Received EAPOL Start Packets : 16
EAPOL LogOff Packets: 0
EAP Response/Identity Packets : 15
EAP Response/Challenge Packets: 113
Error Packets: 0
1. Authenticated user : MAC address: 54fe-7344-d260
Controlled User(s) amount to 1
When deploying wired 802.1x over the network, check the required patch level for Windows clients as we have experienced re-authentication and timeout issues when connected over the network. Below are URLs to check for the recommended patches for Windows clients.
“Cisco Forum - Getting past intermittent/unexplained 802.1x problems on Windows 7”
https://supportforums.cisco.com/blog/12256681/getting-past-intermittentunexplained-8021x-problems-windows-7
"List of IEEE 802.1x hotfixes for Windows 7"
http://robert.penz.name/555/list-of-ieee-802-1x-hotfixes-for-windows-7/