HP 5500 Ei 5500 Si Switch Series Configuration Guide
Have a look at the manual HP 5500 Ei 5500 Si Switch Series Configuration Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 1114 HP manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
96 Setting the maximum number of authentication request attempts The network access device retransmits an authentication request if it receives no response to the request it has sent to the client within a period of time (specified by using the dot1x timer tx-period tx-period-value command or the dot1x timer supp-timeout supp-timeout-value command). The network access device stops retransmitting the request, if it has made the maximum number of request transmission attempts but still received no response. To set the maximum number of authentication request attempts: Step Command Remarks 1. Enter system view. system-view N/A 2. Set the maximum number of attempts for sending an authentication request. dot1x retry max-retry-value Optional. The default setting is 2. Setting the 802.1X authentication timeout timers The network device uses the following 802.1X authentication timeout timers: • Client timeout timer —Starts when the access device sends an EAP-Request/MD5 Challenge packet to a client. If no response is received when this timer expires, the access device retransmits the request to the client. • Server timeout timer —Starts when the access device sends a RADIUS Access-Request packet to the authentication server. If no response is receiv ed when this timer expires, the access device retransmits the request to the server. You can set the client timeout timer to a high value in a low-performance network, and adjust the server timeout timer to adapt to the performance of different authentication servers. In most cases, the default settings are sufficient. To set the 802.1X authentication timeout timers: Step Command Remarks 1. Enter system view. system-view N/A 2. Set the client timeout timer. dot1x timer supp-timeout supp-timeout-value Optional. The default is 30 seconds. 3. Set the server timeout timer. dot1x timer server-timeout server-timeout-value Optional. The default is 100 seconds. Configuring the online user handshake function The online user handshake function checks the connectivity status of online 802.1X users. The network access device sends handshake messages to online users at the interval specified by the dot1x timer handshake-period command. If no response is received from an online user after the maximum number
97 of handshake attempts (set by the dot1x retry command) has been made, the network access device sets the user in the offline state. If iNode clients are deployed, you can also enable th e online handshake security function to check for 802.1X users that use illegal client software to bypass security inspection such as proxy detection and dual network interface cards (NICs) detection. This function checks the authentication information in client handshake messages. If a user fails the authentica tion, the network access device logs the user off. Configuration guidelines Follow these guidelines when you configure the online user handshake function: • To use the online handshake security function, make sure the online user handshake function is enabled. HP recommends that you use the iNode cl ient software and IMC server to guarantee the normal operation of the online user handshake security function. • If the network has 802.1X clients that cannot exchange handshake packets with the network access device, disable the online user handshake function to prevent their connections from being inappropriately torn down. Configuration procedure To configure the online user handshake function: Step Command Remarks 1. Enter system view. system-view N/A 2. Set the handshake timer. dot1x timer handshake-period handshake-period-value Optional. The default is 15 seconds. 3. Enter Ethernet interface view. interface interface-type interface-number N/A 4. Enable the online handshake function. dot1x handshake Optional. By default, the function is enabled. 5. Enable the online handshake security function. dot1x handshake secure Optional. By default, the function is disabled. Configuring the authentication trigger function The authentication trigger function enables the network access device to initiate 802.1X authentication when 802.1X clients cannot initiate authentication. This function provides the following types of authentication trigger: • Multicast trigger —Periodically multicasts Identity EAP-Reques t packets out of a port to detect 802.1X clients and trigger authentication. • Unicast trigger —Enables the network device to initiate 802.1X authentication when it receives a data frame from an unknown source MAC address. The device sends a unicast Identity EAP/Request packet to the unknown source MAC address, and retransmits the packet if it has received no response within a period of time. This process continues until the maximum number of request attempts set with the dot1x retry command (see Setting the maximum number of a uthentication request attempts ) is reached.
98
The identity request timeout timer sets both the identity request interval for the multicast trigger and the
identity request timeout interval for the unicast trigger.
Configuration guidelines
Follow these guidelines when you configure the authentication trigger function:
• Enable the multicast trigger on a port when the clients attached to the port cannot send EAPOL-Start
packets to initiate 802.1X authentication.
• Enable the unicast trigger on a port if only a few 802.1X clients are attached to the port and these
clients cannot initiate authentication.
• To avoid duplicate authentication packets, do not enable both triggers on a port.
Configuration procedure
To configure the authentication trigger function on a port:
Step Command Remarks
1. Enter system view.
system-view N/A
2. Set the username request
timeout timer. dot1x timer tx-period
tx-period-value
Optional.
The default is 30 seconds.
3.
Enter Ethernet interface view. interface
interface-type
interface-number N/A
4.
Enable an authentication
trigger. dot1x
{ multicast-trigger |
unicast-trigger } Required if you want to enable the
unicast trigger.
By default, the multicast trigger is
enabled, and the unicast trigger is
disabled.
Specifying a mandatory authentication domain on
a port
You can place all 802.1X users in a mandatory authentication domain for authentication, authorization,
and accounting on a port. No user can use an account in any other domain to access the network
through the port. The implementation of a mandatory authentication domain enhances the flexibility of
802.1X access control deployment.
To specify a mandatory authentication domain for a port:
Step Command Remarks
1.
Enter system view.
system-view N/A
2. Enter Ethernet interface view. interface
interface-type
interface-number N/A
3.
Specify a mandatory 802.1X
authentication domain on the
port. dot1x mandatory-domain
domain-name By default, no mandatory 802.1X
authentication domain is specified.
99 Configuring the quiet timer The quiet timer enables the network access device to wait a period of time before it can process any authentication request from a client that has failed an 802.1X authentication. You can set the quiet timer to a high value in a vulnerable network or a low value for quicker authentication response. To configure the quiet timer: Step Command Remarks 1. Enter system view. system-view N/A 2. Enable the quiet timer. dot1x quiet-period By default, the timer is disabled. 3. Set the quiet timer. dot1x timer quiet-period quiet-period-value Optional. The default is 60 seconds. Enabling the periodic online user re-authentication function Periodic online user re-authentication tracks the connection status of online users and updates the authorization attributes assigned by the server, such as the ACL, VLAN, and user profile-based QoS. The re-authentication interval is user configurable. Configuration guidelines • The periodic online user re-authentication timer can also be set by the authentication server in the session-timeout attribute. The server-assigned timer overrides the timer setting on the access device, and enables periodic online user re-authentication, even if the function is not configured. Support for the server assignment of re-authentication timer and the re-authentication timer configuration on the server vary with servers. • The VLAN assignment status must be consistent before and after re-authentication. If the authentication server has assigned a VLAN before re -authentication, it must also assign a VLAN at re-authentication. If the authentication server has assigned no VLAN before re-authentication, it m u s t n o t a s s i g n o n e a t r e - a u t h e n t i c a t i o n . V i o l a t i o n o f e i t h e r r u l e c a n c a u s e t h e u s e r t o b e l o g g e d o f f. The VLANs assigned to an online user before and after re-authentication can be the same or different. • If no critical VLAN is configured, RADIUS server unreachable can cause an online user being re-authenticated to be logged off. If a critical VLAN is configured, the user remains online and in the original VLAN. Configuration procedure To enable the periodic online user re-authentication function: Step Command Remarks 1. Enter system view. system-view N/A
100 Step Command Remarks 2. Set the periodic re-authentication timer. dot1x timer reauth-period reauth-period-value Optional. The default is 3600 seconds. 3. Enter Ethernet interface view. interface interface-type interface-number N/A 4. Enable periodic online user re-authentication. dot1x re-authenticate By default, the function is disabled. Configuring an 802.1X guest VLAN Configuration guidelines Follow these guidelines when you configure an 802.1X guest VLAN: • You can configure only one 802.1X guest VLAN on a port. The 802.1X guest VLANs on different ports can be different. • Assign different IDs to the voice VLAN, the port VLAN, and the 802.1X guest VLAN on a port, so the port can correctly process incoming VLAN tagged traffic. • Wi th 802.1 X authentic ation, a hybrid por t i s always ass ig ne d to a VL A N as an u ntag g e d member. After the assignment, do not re-configure the port as a tagged member in the VLAN. • Use Tabl e 6 w hen configuring multiple security features on a port. Table 6 Relationships of the 802.1X guest VL AN and other security features Feature Relationship description Reference Super VLAN You cannot specify a VLAN as both a super VLAN and an 802.1X guest VLAN. See Layer 2 —LAN Switching Configuration Guide MAC authentication guest VLAN on a port that performs MAC-based access control Only the 802.1X guest VLAN take effect. A user that fails MAC authentication will not be assigned to the MAC authentication guest VLAN. See Configuring MAC authentication 802.1X Auth-Fail VLAN on a port that performs MAC-based access control The 802.1X Auth-Fail VLAN has a higher priority See Using 802.1X authentication with other features Port intrusion protection on a port that performs MAC-based access control The 802.1X guest VLAN function has higher priority than the block MAC action but lower priority than the shut down port action of the port intrusion protection feature. See Configuring port security Configuration prerequisites • Create the VLAN to be specified as the 802.1X guest VLAN. • If the 802.1X-enabled port performs port-based access control, enable 802.1X multicast trigger (dot1x multicast-trigger ).
101 • If the 802.1X-enabled port performs MAC-based acce ss control, configure the port as a hybrid port, enable MAC-based VLAN on the port, and assign the port to the 802.1X guest VLAN as an untagged member. For more information about the MAC-based VLAN function, see Layer 2 —LAN Switching Configuration Guide . Configuration procedure To configure an 802.1X guest VLAN: Step Command Remarks 1. Enter system view. system-view N/A 2. Configure an 802.1X guest VLAN for one or more ports. • (Approach 1) In system view: dot1x guest-vlan guest-vlan-id [ interface interface-list ] • (Approach 2) In Ethernet interface view: a. interface interface-type interface-number b. dot1x guest-vlan guest-vlan-id Use either approach. By default, no 802.1X guest VLAN is configured on any port. Configuring an Auth-Fail VLAN Configuration guidelines Follow these guidelines when configuring an 802.1X Auth-Fail VLAN: • Assign different IDs to the voice VLAN, the port VLAN, and the 802.1X Auth-Fail VLAN on a port, so the port can correctly process VLAN tagged incoming traffic. • You can configure only one 802.1X Auth-Fail VLAN on a port. The 802.1X Auth-Fail VLANs on different ports can be different. • Use Tabl e 7 w hen configuring multiple security features on a port. Table 7 Relationships of the 802.1X Auth-Fail VLAN with other features Feature Relationship description Reference Super VLAN You cannot specify a VLAN as both a super VLAN and an 802.1X Auth-Fail VLAN. See Layer 2 —LAN Switching Configuration Guide MAC authentication guest VLAN on a port that performs MAC-based access control The 802.1X Auth-Fail VLAN has a high priority. See Configuring MAC authentication Port intrusion protection on a port that performs MAC-based access control The 802.1X Auth-Fail VLAN function has higher priority than the block MAC action but lower priority than the shut down port action of the port intrusion protection feature. See Configuring port security
102 Configuration prerequisites • Create the VLAN to be specified as the 802.1X Auth-Fail VLAN. • If the 802.1X-enabled port performs port-based access control, enable 802.1X multicast trigger (dot1x multicast-trigger ). • If the 802.1X-enabled port performs MAC-based acce ss control, configure the port as a hybrid port, enable MAC-based VLAN on the port, and assign the port to the Auth-Fail VLAN as an untagged member. For more information about the MAC-based VLAN function, see Layer 2 —LAN Switching Configuration Guide . Configuration procedure To c o n fig u re a n Au t h - Fai l V L A N : Step Command Remarks 1. Enter system view. system-view N/A 2. Enter Ethernet interface view. interface interface-type interface-number N/A 3. Configure the Auth-Fail VLAN on the port. dot1x auth-fail vlan authfail-vlan-id By default, no Auth-Fail VLAN is configured. Configuring an 802.1X critical VLAN Configuration guidelines • Assign different IDs to the voice VLAN, the port VLAN, and the 802.1X critical VLAN on a port, so the port can correctly process VLAN tagged incoming traffic. • You can configure only one 802.1X critical VLAN on a port. The 802.1X critical VLANs on different ports can be different. • You cannot specify a VLAN as both a super VLAN and an 802.1X critical VLAN. For information about super VLANs, see Layer 2 —LAN Switching Configuration Guide . Configuration prerequisites • Create the VLAN to be specified as a critical VLAN. • If the 802.1X-enabled port performs port-based access control, enable 802.1X multicast trigger (dot1x multicast-trigger ). • If the 802.1X-enabled port performs MAC-based acce ss control, configure the port as a hybrid port, enable MAC-based VLAN on the port, and assign the port to the Auth-Fail VLAN as an untagged member. For more information about the MAC-based VLAN function, see Layer 2 —LAN Switching Configuration Guide . Configuration procedure To configure an 802.1X critical VLAN:
103 Step Command Remarks 1. Enter system view. system-view N/A 2. Enter Layer 2 Ethernet interface view. interface interface-type interface-number N/A 3. Configure an 802.1X critical VLAN on the port. dot1x critical vlan vlan-id By default, no critical VLAN is configured. 4. Configure the port to trigger 802.1X authentication on detection of a reachable authentication server for users in the critical VLAN. dot1x critical recovery-action reinitialize Optional. By default, when a reachable RADIUS server is detected, the system removes the port or 802.1X users from the critical VLAN without triggering authentication. Specifying supported domain name delimiters By default, the access device supports the at sign (@) as the delimiter. You can also configure the access device to accommodate 802.1X users that use other domain name delimiters. The configurable delimiters include the at sign (@), back slash (\), and forward slash (/). I f a n 802.1 X u s e rn a m e s t ri n g c o n t a i n s mu l t i p l e c o n fig ured delimiters, the leftmost delimiter is the domain name delimiter. For example, if you configure @, /, and as delimiters, the domain name delimiter for the username string 123/22\@abc is the forward slash (/). If a username string contains none of the delimite rs, the access device authenticates the user in the mandatory or default ISP domain. The access selects a domain delimiter from the delimiter set in this order: @, /, and \. Follow the steps to specify a se t of domain name delimiters: Step Command Remarks 1. Enter system view. system-view N/A 2. Specify a set of domain name delimiters for 802.1X users. dot1x domain-delimiter string Optional. By default, only the at sign (@) delimiter is supported. NOTE: If you configure the access device to include the domain name in the username sent to the RADIUS server, make sure the domain delimiter in the username can be recognized by the RADIUS server. For username format configuration, see the user-name-format command in Security Command Reference. Displaying and maintaining 802.1X
104
Task Command Remarks
Display 802.1X session
information, statistics, or
configuration information of
specified or all ports. display dot1x
[ sessions | statistics ]
[ interface interface-list ] [ | { begin | exclude
| include } regular-expression ] Available in any view
Clear 802.1X statistics.
reset dot1x statistics
[ interface interface-list ] Available in user view
802.1X authentication configuration example
Network requirements
As shown in Figure 44, the acces s device performs 802.1X authentication for users that connect to port
GigabitEthernet 1/0/1. Implement MAC-based access co ntrol on the port, so the logoff of one user does
not affect other online 802.1X users.
Use RADIUS servers to perform authentication, authorization, and accounting for the 802.1X users. If
RADIUS authentication fails, perform local authentication on the access device. If RADIUS accounting
fails, the access device logs the user off.
Configure the host at 10.1.1.1 as the primary authentication and accounting servers, and the host at
10.1.1.2 as the secondary authentication and accounting servers. Assign all users to the ISP domain
aabbcc.net , which accommodates up to 30 users.
Configure the shared key as name for packets between the access device and the authentication server,
and the shared key as money for packets between the access device and the accounting server.
Figure 44 Network diagram
Configuration procedure
1. Configure the 802.1X client. If HP iNode is used, do not select the Carry version info option in the
client configuration. (Details not shown.)
2. Configure the RADIUS servers and add user accoun ts for the 802.1X users. For information about
the RADIUS commands used on the access device in this example, see Security Command
Reference . (Details not shown.)
3. Assign an IP address to each interface on the access device. (Details not shown.)
4. Configure user accounts for the 802.1X users on the access device:
105 # Add a local user with the username localuser, and password localpass in plaintext. (Make sure the username and password are the same as those configured on the RADIUS server.) system-view [Device] local-user localuser [Device-luser-localuser] service-type lan-access [Device-luser-localuser] password simple localpass # Configure the idle cut function to log off any online user that has been idled for 20 minutes. [Device-luser-localuser] authorization-attribute idle-cut 20 [Device-luser-localuser] quit 5. Configure a RADIUS scheme: # Create the RADIUS scheme radius1 and enter its view. [Device] radius scheme radius1 # Specify the IP addresses of the primary auth entication and accounting RADIUS servers. [Device-radius-radius1] primary authentication 10.1.1.1 [Device-radius-radius1] primary accounting 10.1.1.1 # Configure the IP addresses of the secondary au thentication and accounting RADIUS servers. [Device-radius-radius1] secondary authentication 10.1.1.2 [Device-radius-radius1] secondary accounting 10.1.1.2 # Specify the shared key between the access device and the authentication server. [Device-radius-radius1] key authentication name # Specify the shared key between the access device and the accounting server. [Device-radius-radius1] key accounting money # Exclude the ISP domain name from the username sent to the RADIUS servers. [Device-radius-radius1] user-name-format without-domain [Device-radius-radius1] quit NOTE: The access device must use the same username format as the RADIUS server. If the RADIUS server includes the ISP domain name in the username, so must the access device. 6. Configure the ISP domain: # Create the ISP domain aabbcc.net and enter its view. [Device] domain aabbcc.net # Apply the RADIUS scheme radius1 to the ISP domain, and specify local authentication as the secondary authentication method. [Device-isp-aabbcc.net] authentication lan-access radius-scheme radius1 \ local [Device-isp-aabbcc.net] authorization lan-access radius-scheme radius1 l\ ocal [Device-isp-aabbcc.net] accounting lan-access radius-scheme radius1 loca\ l # Set the maximum number of concur rent users in the domain to 30. [Device-isp-aabbcc.net] access-limit enable 30 # Configure the idle cut function to log off any online domain user that has been idle for 20 minutes. [Device-isp-aabbcc.net] idle-cut enable 20 [Device-isp-aabbcc.net] quit # Specify aabbcc.net as the default ISP domain. If a user does not provide any ISP domain name, it is assigned to the default ISP domain.