HP Procurve with RADIUS authentication using NPS

The two main chassis I used are from Hewlett Packard which are;

HP Procurve 5406 – J9823A HP Procurve 5412 – J9532A
HP Procurve 5406 - J9533A HP Procurve 5412 - J9532A

Steps required;

  1. Build RADIUS server
  2. Configure RADIUS server
    1. Add a RADIUS Client
    2. Create Connection Request Policy
    3. Create Network Policy
  3. Configure switch.
  4. Debugging


For the server we use Windows 2008 R2

Go to Administrative Tools –> Server Manager, make sure the Roles is selected to the left and click on Add Roles from the far right.

Select the Network Policy and Access Services role and click Next

Install NPS-1

Select the Network Policy Server role, the other role services are not required

Install NPS-2

Click next through the option boxes to complete the install.


2.1 – Add a RADIUS client

Open Network Policy Server from the administrative tools and expand RADIUS Clients and Servers and right click on RADIUS Clients –> New

When you create the key, you need to make a note of it as this will be needed for the switch configuration later.

Radius client

Be aware that if using an IP range for the RADIUS client, you must use bitmask – how many BITS in the network address.  In this case 24, which would be equivalent to a subnet mask of

2.2 – Create Connection Request Policy

Expand Policies and right click on Connection Request Policy then click ‘New’.
Configure the Connection Request Policy (CRP) as;


  • NAS IPv4 Address = Switch management address range, eg 192.168.3.*


  • Authentication Provider = Local Computer
  • Override Authentication = Disabled


Just to confuse people, the NAS IPv4 address should use a wildcard for a range of IPs and not a bitmask as you did when you created the RADIUS client.

2.3 – Create Network Policy

Network Policy (NP) as;


  • Authentication Type = PAP
  • User Groups = The domain user group, eg CIFT\IT


  • Extended State = <blank>
  • Access Permission = Grant Access
  • Authentication Method = Unencrypted Authentication (PAP, SPAP)
  • NAP Enforcement = Allow full network access
  • Framed-Protocol = PPP
  • Service-Type = Administrative


3. – Switch Configuration

Add the radius server and key
radius-server host <NPS ServerIP> key <SecretKey>

Disable telnet and Web access
no telnet-server
no web-management

Once authenticated, go straight to privilege/enable mode
aaa authentication login privilege-mode

Set the console and SSH authentication order to Radius then Local
aaa authentication console login radius local
aaa authentication console enable radius local
aaa authentication ssh login radius local
aaa authentication ssh enable radius local

Set a local manager password to use when Radius server is unavailable
password manager user admin plaintext

Be aware that LOCAL authentication will only be used if the radius server does not respond and it will take several failed attempts to contact the server before you get a local authentication prompt.

4 – Debugging

To see all the authentication attempts from the RADIUS clients on the NPS server, open Event viewer and go to Custom Views –> Server Roles –> Network Policy and Access Server

Clicking on one of the events will display information similar to the following;


This is split up into sections;

  • User – The username used to authentication with the NPS server
  • Client Machine – The hardware address of the device the user was using, not used as you’re authenticating directly from the RADIUS client and not from a PC that forwards to the client, that forwards it to the NPS server
  • NAS – The device the authentication request is coming from, in this example, the 5406 switch
  • Radius Client – The configured RADIUS client being used
  • Authentication Details – Which Connection Request & Network policies being used

A failed authentication would display no Network Policy Name – As long as you’ve disabled the default policies after installing the NPS role.

From my example configuration you can see how it matches the event output;

The RADIUS client is called NET-DEVICES (using IP range, but the event will show the IP of the device, not the configured client range…far more useful.

The Authentication Details show the CRP & NP being used, (to keep it simple I’ve called them the same NET-DEVICES) authentication server (useful if you forward events to another server) and authentication type.


2 thoughts on “HP Procurve with RADIUS authentication using NPS

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s