HP 5500 Ei 5500 Si Switch Series Configuration Guide
Have a look at the manual HP 5500 Ei 5500 Si Switch Series Configuration Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 1114 HP manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
86 EAP termination Figure 43 shows the basic 802.1X authentication procedure in EAP termination mode, assuming that CHAP authentication is used. Figure 43 802.1X authentication procedure in EAP termination mode In EAP termination mode, it is the network access device rather than the authentication server generates an MD5 challenge for password encryption (see Step 4). The network access device then sends the MD5 challenge together with the username and encrypted password in a standard RADIUS packet to the RADIUS server.
87 Configuring 802.1X This chapter describes how to configure 802.1X on an HP device. You can also configure the port security feature to perform 802.1X. Port security combines and extends 802.1X and MAC authentication. It applies to a network that requires different authentication methods for different users on a port. Port security is beyond the scope of this chapter. It is described in Configuring port security . HP implementation of 802.1X Access control methods HP implements port-based access control as defined in the 802.1X protocol, and extends the protocol to support MAC-based access control. • Port-based access control —Once an 802.1X user passes authentication on a port, any subsequent user can access the network through the port without authentication. When the authenticated user logs off, all other users are logged off. • MAC-based access control —Each user is separately authenticated on a port. When a user logs off, no other online users are affected. Using 802.1X authentication with other features VLAN assignment You can configure the authentication server to assign a VLAN for an 802.1X user that has passed authentication. The way that the network access de vice handles VLANs on an 802.1X-enabled port differs by 802.1X access control mode. For more information about VLAN configuration and MAC-based VLAN, see Layer 2 —LAN Switching Configuration Guide . Access control VLAN manipulation Port-based Assigns the VLAN to the port as the port VLAN ID (PVID). All subsequent 802.1X users can access the port VLAN without authentication. When the user logs off, the previous PVID restores, and all other online users are logged off. MAC-based • If the port is a hybrid port with MAC-based VLAN enabled, maps the MAC address of each user to the VLAN assigned by the authentication server. The PVID of the port does not change. When a user logs off, the MAC-to-VLAN mapping for the user is removed. • If the port is an access, trunk, or MAC- based VLAN disabled hybrid port, assigns the first authenticated users VLAN to the port as the PVID. If a different VLAN is assigned to a subsequent user, the user cannot pass the authentication. To avoid the authentication failure of subsequent users, be sure to assign the same VLAN to all 802.1X users on these ports.
88 With 802.1X authentication, a hybrid port is always assigned to a VLAN as an untagged member. After the assignment, do not re-configure the port as a tagged member in the VLAN. On a periodic online user re-authentication enabled port, if a user has been online before you enable the MAC-based VLAN function, the access device does not create a MAC-to-VLAN mapping for the user unless the user passes re-authentication and the VLAN for the user has changed. Guest VLAN You can configure a guest VLAN on a port to accommodate users that have not performed 802.1X authentication, so they can access a limited set of network resources, such as a software server, to download anti-virus software and system patches. After a user in the guest VLAN passes 802.1X authentication, it is removed from the guest VLAN and can access authorized network resources. The way that the network access device handles VLANs on the port differs by 802.1X access control mode. For more information about VLAN configuration and MAC-based VLAN, see Layer 2 —LAN Switching Configuration Guide . 1. On a port that performs port-based access control Authentication status VLAN manipulation No 802.1X user has performed authentication within 90 seconds after 802.1X is enabled Assigns the 802.1X guest VLAN to the port as the PVID. All 802.1X users on this port can access only resources in the guest VLAN. If no 802.1X guest VLAN is configur ed, the access device does not perform any VLAN operation. A user in the 802.1X guest VLAN fails 802.1X authentication If an 802.1X Auth-Fail VLAN (see Auth-Fail VLAN) is available, assigns the Auth-Fail VLAN to the port as t he PVID. All users on this port can access only resources in the Auth-Fail VLAN. If no Auth-Fail VLAN is configured, the PVID on the port is still the 802.1X guest VLAN. All users on the port are in the guest VLAN. A user in the 802.1X guest VLAN passes 802.1X authentication • Assigns the VLAN specified for the user to the port as the PVID, and removes the port from the 802.1X guest VLAN. After the user logs off, the user configured PVID restores. • If the authentication server assigns no VLAN, the user-configured PVID applies. The user and all subsequent 802.1X users are assigned to the user-configured port VLAN. After the user logs off, the PVID remains unchanged. 2. On a port that performs MAC-based access control To use the 802.1X guest VLAN function on a port that performs MAC-based access control, make sure that the port is a hybrid port, and enable MAC-based VLAN on the port. Authentication status VLAN manipulation A user has not passed 802.1X authentication yet Creates a mapping between the MAC address of the user and the 802.1X guest VLAN. The user can access resources in the guest VLAN. A user in the 802.1X guest VLAN fails 802.1X authentication If an 802.1X Auth-Fail VLAN is availa ble, re-maps the MAC address of the user to the Auth-Fail VLAN. The user can access only resources in the Auth-Fail VLAN. If no 802.1X Auth-Fail VLAN is configured, the user is still in the 802.1X guest VLAN.
89 Authentication status VLAN manipulation A user in the 802.1X guest VLAN passes 802.1X authentication Re-maps the MAC address of the user to the VLAN specified for the user. If the authentication server assigns no VLAN, re-maps the MAC address of the user to the initial PVID on the port. NOTE: The network device assigns a hybrid port to an 802.1X guest VLAN as an untagged member. Auth-Fail VLAN You can configure an Auth-Fail VLAN to accommodate users that have failed 802.1X authentication because of the failure to comply with the organization security strategy, such as using a wrong password. Users in the Auth-Fail VLAN can access a limited set of network resources, such as a software server, to download anti-virus software and system patches. The Auth-Fail VLAN does not accommodate 802.1X users that have failed authentication for authentication timeouts or network connection problems. The way that the network access device handles VLANs on the port differs by 802.1X access control mode. For more information about VLAN configuration and MAC-based VLAN, see Layer 2 —LAN Switching Configuration Guide . 1. On a port that performs port-based access control Authentication status VLAN manipulation A user fails 802.1X authentication Assigns the Auth-Fail VLAN to the port as the PVID. All 802.1X users on this port can access only resources in the Auth-Fail VLAN. A user in the Auth-Fail VLAN fails 802.1X re-authentication The Auth-Fail VLAN is still the PVID on the port, and all 802.1X users on this port are in this VLAN. A user passes 802.1X authentication • Assigns the VLAN specified for the user to the port as the PVID, and removes the port from the Auth-Fail VLAN. After the user logs off, the user-configured PVID restores. • If the authentication server assigns no VLAN, the initial PVID applies. The user and all subsequent 802.1X users are assigned to the user-configured PVID. After the user logs off, the PVID remains unchanged. 2. On a port that performs MAC-based access control To perform the 802.1X Auth-Fail VLAN function on a port that performs MAC-based access control, you must make sure that the port is a hybrid port, and enable MAC-based VLAN on the port. Authentication status VLAN manipulation A user fails 802.1X authentication Re-maps the MAC address of the user to the Auth-Fail VLAN. The user can access only resources in the Auth-Fail VLAN.
90 Authentication status VLAN manipulation A user in the Auth-Fail VLAN fails 802.1X re-authentication The user is still in the Auth-Fail VLAN. A user in the Auth-Fail VLAN passes 802.1X authentication Re-maps the MAC address of the use r to the server-assigned VLAN. If the authentication server assigns no VLAN, re-maps the MAC address of the user to the initial PVID on the port. NOTE: The network device assigns a hybrid port to an 802.1X Auth-Fail VLAN as an untagged member. Critical VLAN You configure an 802.1X critical VLAN on a port to accommodate 802.1X users that fail authentication because none of the RADIUS authentication servers in their ISP domain is reachable (active). Users in the critical VLAN can access a limit set of network resources depending on your configuration. The critical VLAN feature takes effect when 802.1X authentication is performed only through RADIUS servers. If an 802.1X user fails local authentication after RADIUS authentication, the user is not assigned to the critical VLAN. For more information about RADIUS configuration, see Configuring AAA. F or more information about VLAN configuration and MAC-based VLAN, see Layer 2 —LAN Switching Configuration Guide . The way that the network access device handles VLAN s on an 802.1X-enabled port differs by 802.1X access control mode. 1. On a port that performs port-based access control Authentication status VLAN manipulation A user that has not been assigned to any VLAN fails 802.1X authentication because all the RADIUS servers are unreachable. Assigns the critical VLAN to the port as the PVID. The 802.1X user and all subsequent 802.1X users on this port can access only resources in the critical VLAN. A user in the 802.1X critical VLAN fails authentication because all the RADIUS servers are unreachable. The critical VLAN is still the PVID of the port, and all 802.1X users on this port are in this VLAN. A user in the 802.1X critical VLAN fails authentication for any other reason than server unreachable. If an Auth-Fail VLAN has been co nfigured, the PVID of the port changes to Auth-Fail VLAN ID, and all 802.1X users on this port are moved to the Auth-Fail VLAN. A user in the critical VLAN passes 802.1X authentication. • Assigns the VLAN specified for the user to the port as the PVID, and removes the port from the critical VLAN. After the user logs off, the default or user-configured PVID restores. • If the authentication server assigns no VLAN, the default or user-configured PVID applies. The user and all subsequent 802.1X users are assigned to this port VLAN. After the user logs off, this PVID remains unchanged.
91 Authentication status VLAN manipulation A user in the 802.1X guest VLAN or the Auth-Fail VLAN fails authentication because all the RADIUS servers is reachable. The PVID of the port remains unchanged. All 802.1X users on this port can access only resources in the guest VLAN or the Auth-Fail VLAN. 2. On a port that performs MAC-based access control To perform the 802.1X critical VLAN function on a port that performs MAC-based access control, you must make sure that the port is a hybrid port, and enable MAC-based VLAN on the port. Authentication status VLAN manipulation A user that has not been assigned to any VLAN fails 802.1X authentication because all the RADIUS servers are unreachable. Maps the MAC address of the user to the critical VLAN. The user can access only resources in the critical VLAN. A user in the 802.1X critical VLAN fails authentication because all the RADIUS servers are unreachable. The user is still in the critical VLAN. A user in the critical VLAN fails 802.1X authentication for any other reason than server unreachable. If an Auth-Fail VLAN has been configured, re-maps the MAC address of the user to the Auth-Fail VLAN ID. A user in the critical VLAN passes 802.1X authentication. Re-maps the MAC address of th e user to the server-assigned VLAN. If the authentication server a ssigns no VLAN, re-maps the MAC address of the user to the default or user-configured PVID on the port. A user in the 802.1X guest VLAN or the Auth-Fail VLAN fails authentication because all the RADIUS server are unreachable. The user remains in the 802.1X VLAN or the Auth-Fail VLAN. A user in the MAC authentication guest VLAN fails 802.1X authentication because all the 802.1X authentication server are unreachable. The user is removed from the MAC authentication VLAN and mapped to the 802.1X critical VLAN. NOTE: The network device assigns a hybrid port to an 802.1X critical VLAN as an untagged member. Any of the following RADIUS authentication server changes in the ISP domain for 802.1X users on a port can cause the users to be removed from the critical VLAN: • An authentication server is reconfigured, added, or removed. • The status of any RADIUS authentication server automatically changes to active or is administratively set to active.
92 • The RADIUS server probing function detects that a RADIUS authentication server is reachable and sets its state to active. You can use the dot1x critical recovery-action reinitialize command to configure the port to trigger 802.1X re-authentication when the port or an 802.1X us er on the port is removed from the critical VLAN. • If MAC-based access control is used, the port se nds a unicast Identity EAP/Request to the 802.1X user to trigger authentication. • If port-based access control is used, the port se nds a multicast Identity EAP/Request to the 802.1X users to trigger authentication. ACL assignment You can specify an ACL for an 802.1X user to control its access to network resources. After the user passes 802.1X authentication, the authentication server, either the local access device or a RADIUS server, assigns the ACL to the port to filter the traffic from this user. In either case, you must configure the ACL on the access device. You can change ACL rules while the user is online. Configuration prerequisites • Configure an ISP domain and AAA scheme (local or RADIUS authentication) for 802.1X users. • If RADIUS authentication is used, create user accounts on the RADIUS server. • If local authentication is used, create local user accounts on the access device and set the service type to lan-access . 802.1X configuration task list Task Remarks Enabling 802.1X Required Enabling EAP relay or EAP termination Optional Setting the port authorization state Optional Specifying an access control method Optional Setting the maximum number of concurrent 802.1X users on a port Optional Setting the maximum number of authentication request attempts Optional Setting the 802.1X authentication timeout timers Optional Configuring the online user handshake function Optional Configuring the authentication trigger function Optional Specifying a mandatory authentication domain on a port Optional Configuring the quiet timer Optional Enabling the periodic online user re-authentication function Optional Configuring an 802.1X guest VLAN Optional Configuring an Auth-Fail VLAN Optional Configuring an 802.1X critical VLAN Optional Specifying supported domain name delimiters Optional
93 Enabling 802.1X Configuration guidelines • If the PVID of a port is a voice VLAN, the 802.1X function cannot take effect on the port. For more information about voice VLANs, see Layer 2 —LAN Switching Configuration Guide. • 802.1X is mutually exclusive with link aggregation and service loopback group configuration on a port. • Do not use the BPDU drop feature on an 802.1X-enabled port. The BPDU drop feature discards 802.1X packets arrived on the port. • On an 802.1X and MAC authentication enabled port, the EAP packet from an unknown MAC address immediately triggers 802.1X authentication, and any other type of packet from an unknown MAC address triggers MAC authentication 30 seconds after its arrival. Configuration procedure To enable 802.1X on a port: Step Command Remarks 1. Enter system view. system-view N/A 2. Enable 802.1X globally. dot1x By default, 802.1X is disabled globally. 3. Enable 802.1X on a port. • (Approach 1) In system view : dot1x interface interface-list • (Approach 2) In Ethernet interface view: a. interface interface-type interface-number b. dot1x Use either approach. By default, 802.1X is disabled on a port. Enabling EAP relay or EAP termination When you configure EAP relay or EAP termination, consider the following factors: • The support of the RADIUS server for EAP packets • The authentication methods supported by the 802.1X client and the RADIUS server If the client is using only MD5-Challenge EAP authentication or the username + password EAP authentication initiated by an HP iNode 802.1X client, you can use both EAP termination and EAP relay. To use EAP-T L, PEA P, or any other EA P authentic ation metho ds, you must use EA P relay. When you make your decision, see A comparison of EAP relay and EAP termination f or help. For more information about EAP relay and EAP termination, see 802.1X authentication procedures. To configure EAP relay or EAP termination:
94
Step Command Remarks
1. Enter system view.
system-view N/A
2. Configure EAP relay or
EAP termination. dot1x
authentication-method
{ chap | eap | pap } Optional.
By default, the network access device
performs EAP termination and uses CHAP to
communicate with the RADIUS server.
Specify the
eap keyword to enable EAP
termination.
Specify the chap or pap keyword to enable
CHAP-enabled or PAP-enabled EAP relay.
NOTE:
If EAP relay mode is used, the user-name-format command configured in RADIUS scheme view does no
t
take effect. The access device sends the authentication data from the client to the server without any
modification.
Setting the port authorization state
The port authorization state determines whether the client is granted access to the network. You can
control the authorization state of a port by using the dot1x port-control command and the following
keywords:
• authorized-force —Places the port in the authorized state, enabling users on the port to access the
network without authentication.
• unauthorized-force —Places the port in the unauthorized st ate, denying any access requests from
users on the port.
• auto —Places the port initially in the unauthorized state to allow only EAPOL packets to pass, and
after a user passes authentication, sets the port in the authorized state to allow access to the network.
You can use this option in most scenarios.
You can set authorization state for one port in Ethernet interface view, or for multiple ports in system view.
If different authorization state is se t for a port in system view and Ethe rnet interface view, the one set later
takes effect.
To set the authorization state of a port:
Step Command Remarks
1. Enter system view. system-view N/A
2. Set the port
authorization state.
• (Approach 1) In system view:
dot1x port-control { authorized-force | auto
| unauthorized-force } [ interface
interface-list ]
• (Approach 2) In Ethernet interface view:
a. interface interface-type
interface-number
b. dot1x port-control { authorized-force |
auto | unauthorized-force } Optional.
Use either approach.
By default,
auto applies.
95
Specifying an access control method
You can specify an access control method for one port in Ethernet interface view, or for multiple ports in
system view. If different access control methods are specified for a port in system view and Ethernet
interface view, the one specified later takes effect.
To use both 802.1X and portal authentication on a port, you must specify MAC-based access control. For
information about portal authentication, see Configuring portal authentication.
T
o specify the access control method:
Step Command Remarks
1. Enter system view. system-view N/A
2. Specify an access
control method.
• (Approach 1) In system view:
dot1x port-method { macbased |
portbased } [ interface interface-list ]
• (Approach 2) In Ethernet interface view:
a. interface interface-type
interface-number
b. dot1x port-method { macbased |
portbased } Optional.
Use either approach.
By default, MAC-based access
control applies.
Setting the maximum number of concurrent 802.1X
users on a port
You can set the maximum number of concurrent 802.1X users for ports individually in Ethernet interface
view or in bulk in system view. If different settings are configured for a port in both views, the setting
configured later takes effect.
To set the maximum number of concurrent 802.1X users on a port:
Step Command
Remarks
1. Enter system view. system-view N/A
2. Set the maximum
number of concurrent
802.1X users on a
port.
• (Approach 1) In system view:
dot1x max-user user-number [ interface
interface-list ]
• (Approach 2) In Ethernet interface view:
a. interface interface-type interface-number
b. dot1x max-user user-number [ interface
interface-list ] Optional.
Use either approach.
The default maximum
number of concurrent
802.1X users on a port is
256.