HP A 5120 Manual

 
81 
Enabling the quiet timer 
The  quiet  timer  enables  the  network  access  device  to  wait  a  period  of  time  before  it  can  process  any 
authentication request from a client that has failed an 802.1X authentication.  
You  can  set  the  quiet  timer  to  a  high  value  in  a  vulnerable  network or  a  low  value  for  quicker 
authentication response.  
Follow these steps to enable the quiet timer: 
To do… Use the command… Remarks 
Enter system view system-view — 
Enable the quiet timer...

 
82 
Configuring an 802.1X guest VLAN 
Configuration guidelines 
Follow these guidelines when configuring an 802.1X guest VLAN: 
 You  can  configure  only  one  802.1X  guest  VLAN  on  a  port.  The  802.1X  guest  VLANs  on  different 
ports can be different. 
 Assign different IDs for the voice VLAN, the default VLAN, and the 802.1X guest VLAN on a port, so 
the port can correctly process incoming VLAN tagged traffic.  
 With  802.1X  authentication,  a  hybrid  port  is  always  assigned  to  a...

 
83 
To do… Use the command… Remarks 
interface view 
dot1x guest-vlan guest-vlan-id 
 
Configuring an Auth-Fail VLAN 
Configuration guidelines 
Follow these guidelines when configuring an 802.1X Auth-Fail VLAN: 
 Assign different IDs for the voice VLAN, the default VLAN, and the 802.1X guest VLAN on a port, so 
the port can correctly process VLAN tagged incoming traffic. 
 You  can  configure  only  one  802.1X  Auth-Fail  VLAN  on  a  port.  The  802.1X  Auth-Fail  VLANs  on 
different ports can be...

 
84 
Displaying and maintaining 802.1X 
To do… Use the command… Remarks 
Display 802.1X session 
information, statistics, or 
configuration information of 
specified or all ports 
display dot1x [ sessions | statistics ] [ 
interface interface-list ] [ | { begin | 
exclude | include } regular-expression ] 
Available in any view 
Clear 802.1X statistics reset dot1x statistics [ interface interface-
list ] Available in user view 
 
802.1X configuration examples 
802.1X authentication configuration example...

 
85 
 
1. Configure the 802.1X client. If iNode is used, do not select the Carry version info option in the 
client configuration. (Details not shown) 
2. Configure the RADIUS servers and add user accounts for the 802.1X users. (Details not shown) 
3. Configure user accounts for the 802.1X users on the access device.  
#  Add a local  user with  the  username localuser, and  password localpass in  plaintext.  (Make  sure  the 
username and password are the same as those configured on the RADIUS server.)...

 
86 
[Device-isp-aabbcc.net] access-limit enable 30 
# Configure the idle cut function to log off any online domain user that has been idle for 20 minutes. 
[Device-isp-aabbcc.net] idle-cut enable 20 
[Device-isp-aabbcc.net] quit 
# Specify aabbcc.net as  the  default ISP domain. If  a  user  does  not  provide  any  ISP  domain  name,  it  is 
assigned to the default ISP domain.  
[Device] domain default enable aabbcc.net 
6. Configure 802.1X. 
# Enable 802.1X globally. 
[Device] dot1x 
# Enable 802.1X...

 
87 
Figure 34 Network diagram for 802.1X with guest VLAN and VLAN assignment configuration 
 
 
Configuration procedure 
 
 NOTE: 
The following configuration procedure covers most AAA/RADIUS configuration commands on the 
device. The configuration on the 802.1X client and RADIUS server are not shown. For more 
information about AAA/RADIUS configuration commands, see the Security Command Reference.  
1. Configure the 802.1X client. Make sure the client is able to update its IP address after the access...

 
88 
[Device-vlan5] quit 
4. Configure a RADIUS scheme. 
# Configure RADIUS scheme 2000 and enter its view. 
 system-view 
[Device] radius scheme 2000 
# Specify  primary  and  secondary authentication and accounting servers.  Set  the  shared  key to abc for 
authentication and accounting packets. 
[Device-radius-2000] primary authentication 10.11.1.1 1812 
[Device-radius-2000] primary accounting 10.11.1.1 1813 
[Device-radius-2000] key authentication abc 
[Device-radius-2000] key accounting abc 
#...

 
89 
802.1X with ACL assignment configuration example 
Network requirements 
As  shown  in Figure  35, the  host at 192.168.1.10 connects to  port GigabitEthernet  1/0/1 of  the network 
access device.  
Perform 802.1X authentication on  the  port. Use  the  RADIUS  server  at  10.1.1.1  as  the  authentication  and 
authorization  server  and  the  RADIUS  server  at  10.1.1.2  as  the  accounting  server.  Assign an  ACL  to 
GigabitEthernet 1/0/1 to deny 802.1X users to access the FTP server....

 
90 
[Device] domain 2000 
[Device-isp-2000] authentication default radius-scheme 2000 
[Device-isp-2000] authorization default radius-scheme 2000 
[Device-isp-2000] accounting default radius-scheme 2000 
[Device-isp-2000] quit 
# Configure ACL 3000 to deny packets destined for the FTP server at 10.0.0.1. 
[Device] acl number 3000 
[Device-acl-adv-3000] rule 0 deny ip destination 10.0.0.1 0 
# Enable 802.1X globally.  
[Device] dot1x 
# Enable 802.1X on port GigabitEthernet 1/0/1. 
[Device] interface...