Home > HP > Switch > HP A 5120 Manual

HP A 5120 Manual

Add to Favourites
    Download as PDF

    Here you can view all the pages of manual HP A 5120 Manual. The HP manuals for Switch are available online for free. You can easily download all the documents as PDF.

    Overview View all the pages Comments

    Page 81

    Page 81 71 802.1X configuration This chapter describes how to configure 802.1X on an HP device. You can also configure the port security feature to perform 802.1X. Port security combines and extends 802.1X and MAC authentication. It applies to a network, for example, that requires different authentication methods for different users on a port. Port security is beyond the scope of this chapter. It is described in the chapter ―Port security configuration.‖ HP implementation of 802.1X Access control... 
     
71 
802.1X configuration 
This chapter describes how to configure 802.1X on an HP device. You can also configure the port security 
feature to perform 802.1X. Port security combines and extends 802.1X and MAC authentication. It applies 
to a network, for example, that requires different authentication methods for different users on a port. Port 
security is beyond the scope of this chapter. It is described in the chapter ―Port security configuration.‖ 
HP implementation of 802.1X 
Access control...

    Page 82

    Page 82 72 Access control VLAN manipulation MAC-based  If the port is a hybrid port with MAC-based VLAN enabled, maps the MAC address of each user to the VLAN assigned by the authentication server. The default VLAN of the port does not change. When a user logs off, the MAC- to-VLAN mapping for the user is removed.  Assigns the VLAN of the first authenticated user to the port as the default VLAN. If a different VLAN is assigned for a subsequent user, the user cannot pass the authentication.... 
     
72 
Access control VLAN manipulation 
MAC-based 
 If the port is a hybrid port with MAC-based VLAN enabled, maps the MAC 
address of each user to the VLAN assigned by the authentication server. The 
default VLAN of the port does not change. When a user logs off, the MAC-
to-VLAN mapping for the user is removed.  
 Assigns the VLAN of the first authenticated user to the port as the default 
VLAN. If a different VLAN is assigned for a subsequent user, the user 
cannot pass the authentication....

    Page 83

    Page 83 73 Authentication status VLAN manipulation A user has not passed 802.1X authentication yet Creates a mapping between the MAC address of the user and the 802.1X guest VLAN. The user can access resources in the guest VLAN. A user in the 802.1X guest VLAN fails 802.1X authentication If an 802.1X Auth-Fail VLAN is available, re-maps the MAC address of the user to the Auth-Fail VLAN. The user can access only resources in the Auth- Fail VLAN. If no 802.1X Auth-Fail VLAN is configured, the user... 
     
73 
Authentication status VLAN manipulation 
A user has not passed 
802.1X authentication yet 
Creates a mapping between the MAC address of the user and the 802.1X 
guest VLAN. The user can access resources in the guest VLAN.  
A user in the 802.1X guest 
VLAN fails 802.1X 
authentication 
If an 802.1X Auth-Fail VLAN is available, re-maps the MAC address of the 
user to the Auth-Fail VLAN. The user can access only resources in the Auth-
Fail VLAN.  
If no 802.1X Auth-Fail VLAN is configured, the user...

    Page 84

    Page 84 74 2. On a port that performs MAC-based access control Authentication status VLAN manipulation A user fails 802.1X authentication Re-maps the MAC address of the user to the Auth-Fail VLAN. The user can access only resources in the Auth-Fail VLAN. A user in the Auth-Fail VLAN fails 802.1X re-authentication The user is still in the Auth-Fail VLAN. A user in the Auth-Fail VLAN passes 802.1X authentication Re-maps the MAC address of the user to the server-assigned VLAN. If the authentication... 
     
74 
2. On a port that performs MAC-based access control 
Authentication status VLAN manipulation 
A user fails 802.1X 
authentication 
Re-maps the MAC address of the user to the Auth-Fail VLAN. The user can 
access only resources in the Auth-Fail VLAN.  
A user in the Auth-Fail VLAN 
fails 802.1X re-authentication The user is still in the Auth-Fail VLAN. 
A user in the Auth-Fail VLAN 
passes 802.1X authentication 
Re-maps the MAC address of the user to the server-assigned VLAN.  
If the authentication...

    Page 85

    Page 85 75 Task Remarks Setting the port authorization state Optional Specifying an access control method Optional Setting the maximum number of concurrent 802.1X users on a port Optional Setting the maximum number of authentication request attempts Optional Setting the 802.1X authentication timeout timers Optional Configuring the online user handshake function Optional Configuring the authentication trigger function Optional Specifying a mandatory authentication domain on a port Optional Enabling... 
     
75 
Task Remarks 
Setting the port authorization state Optional 
Specifying an access control method Optional 
Setting the maximum number of concurrent 802.1X users on a port Optional 
Setting the maximum number of authentication request attempts Optional 
Setting the 802.1X authentication timeout timers Optional 
Configuring the online user handshake function Optional 
Configuring the authentication trigger function Optional 
Specifying a mandatory authentication domain on a port Optional 
Enabling...

    Page 86

    Page 86 76 use EAP-TL, PEAP, or any other EAP authentication methods, you must use EAP relay. When you make your decision, see A comparison of EAP relay and EAP termination for help. For more information about EAP relay and EAP termination, see 802.1X authentication procedures. Follow these steps to configure EAP relay or EAP termination: To do… Use the command… Remarks Enter system view system-view — Configure EAP relay or EAP termination dot1x authentication-method { chap | eap |... 
     
76 
use EAP-TL,  PEAP,  or  any  other  EAP  authentication  methods,  you  must  use  EAP  relay.  When  you  make 
your decision, see A comparison of EAP relay and EAP termination for help.  
For more information about EAP relay and EAP termination, see 802.1X authentication procedures. 
Follow these steps to configure EAP relay or EAP termination: 
To do… Use the command… Remarks 
Enter system view system-view — 
Configure EAP relay or EAP 
termination 
dot1x authentication-method { 
chap | eap |...

    Page 87

    Page 87 77 To do… Use the command… Remarks Set the port authorization state In system view dot1x port-control { authorized-force | auto | unauthorized-force } [ interface interface-list ] Optional Use either approach. By default, auto applies. In Layer 2 Ethernet interface view interface interface-type interface-number dot1x port-control { authorized-force | auto | unauthorized-force } Specifying an access control method You can specify an access control method for one port in... 
     
77 
To do… Use the command… Remarks 
Set the port 
authorization 
state 
In system view 
dot1x port-control { authorized-force | 
auto | unauthorized-force } [ interface 
interface-list ] Optional 
Use either approach. 
By default, auto applies. In Layer 2 
Ethernet 
interface view 
interface interface-type interface-number 
dot1x port-control { authorized-force | 
auto | unauthorized-force } 
 
Specifying an access control method 
You  can specify an access  control  method for  one  port  in...

    Page 88

    Page 88 78 Setting the maximum number of authentication request attempts The network access device retransmits an authentication request if it receives no response to the request it has sent to the client within a period of time (specified by using the dot1x timer tx-period tx-period-value command or the dot1x timer supp-timeout supp-timeout-value command). The network access device stops retransmitting the request, if it has made the maximum number of request transmission... 
     
78 
 
Setting the maximum number of authentication request attempts 
The network access device retransmits an authentication request if it receives no response to the request it 
has  sent  to  the  client within a  period  of  time  (specified by using the dot1x timer tx-period tx-period-value 
command  or  the dot1x  timer supp-timeout supp-timeout-value command).  The  network  access  device 
stops  retransmitting  the request,  if  it  has  made  the  maximum  number  of  request  transmission...

    Page 89

    Page 89 79 If iNode clients are deployed, you can also enable the online handshake security function to check for 802.1X users that use illegal client software to bypass security inspection such as proxy detection and dual network interface cards (NICs) detection. This function checks the authentication information in client handshake messages. If a user fails the authentication, the network access device logs the user off. Configuration guidelines Follow these guidelines... 
     
79 
If  iNode  clients  are  deployed,  you  can  also  enable  the  online  handshake  security  function  to  check  for 
802.1X  users  that  use illegal  client  software  to bypass  security  inspection such  as  proxy  detection  and 
dual network interface cards (NICs) detection. This function checks the authentication information in client 
handshake messages. If a user fails the authentication, the network access device logs the user off.  
Configuration guidelines 
Follow these guidelines...

    Page 90

    Page 90 80 response within a period of time. This process continues until the maximum number of request attempts set with the dot1x retry command (see ―Setting the maximum number of authentication request attempts‖) is reached. The identity request timeout timer sets both the identity request interval for the multicast trigger and the identity request timeout interval for the unicast trigger. Configuration guidelines Follow these guidelines when you configure the... 
     
80 
response  within  a  period  of  time.  This  process  continues  until  the  maximum  number  of  request 
attempts  set  with  the dot1x  retry command  (see  ―Setting the  maximum number  of  authentication 
request attempts‖) is reached. 
The  identity  request  timeout  timer  sets  both  the  identity  request  interval  for  the  multicast  trigger  and  the 
identity request timeout interval for the unicast trigger.  
Configuration guidelines 
Follow these guidelines when you configure the...
    Start reading HP A 5120 Manual

    Related Manuals for HP A 5120 Manual

    All HP manuals