HP 5500 Ei 5500 Si Switch Series Configuration Guide

76 
 system-view 
[SwitchB] radius-server user aaa 
# Configure plaintext password aabbcc for user aaa.  
[SwitchB-rdsuser-aaa] password simple aabbcc 
[SwitchB-rdsuser-aaa] quit 
# Specify the IP address of the RADIUS client  as 10.1.1.1 and the plaintext shared key as abc.  
[SwitchB] radius-server client-ip 10.1.1.1 key simple abc 
4. Verify the configuration: 
After entering username aaa@bbb or aaa and password  aabbcc, user aaa can telnet to Switch A. 
Use the  display connection  command to view...

77 
Analysis 
1. The NAS and the RADIUS server cannot communicate with each other. 
2. The NAS is not configured with the IP address of the RADIUS server. 
3. The UDP ports for authentication/authoriza tion and accounting are not correct. 
4. The port numbers of the RADIUS server for authen tication, authorization and accounting are being 
used by other applications. 
Solution 
Check that: 
1.  The communication links between the NAS and the RADIUS server work well at both physical and 
link layers. 
2....

 78 
802.1X fundamentals 
802.1X is a port-based network access control protocol initially proposed by the IEEE 802 LAN/WAN 
committee for securing wireless LANs (WLANs), and it has also been widely used on Ethernet networks 
for access control.  
802.1X controls network access by authenticating  the devices connected to 802.1X-enabled LAN ports. 
802.1X architecture 
802.1X operates in the client/server model. It comprises three entities: the client (the supplicant), the 
network access device (the...

 79 
Figure 35 Authorization state of a controlled port 
 
 
In the unauthorized state, a controlled port controls traffic in one of the following ways: 
•  Performs bidirectional traffic control to  deny traffic to and from the client. 
•   Performs unidirectional traffic control to deny traffic from the client. 
The HP devices support only unidirectional traffic control. 
802.1X-related protocols 
802.1X uses the Extensible Authentication Protocol (EAP) to transport authentication information for the...

 80 
Packet formats 
EAP packet format 
Figure 36 shows the EAP packet format.  
Figure 36  EAP packet format 
 
 
•  Code —Type of the EAP packet. Options include Request (1), Response (2), Success (3), or Failure 
(4) . 
•   Identifier —Used for matching Responses with Requests. 
•   Length —Length (in bytes) of the EAP packet. The EAP packet length is the sum of the Code, Identifier, 
Length, and Data fields. 
•   Data —Content of the EAP packet. This field appears only in a Request or Response EAP...

 81 
Value Type  Description 
0x02 EAPOL-Logoff The client sends an EAPOL-Logoff message to tell the 
network access device that it is logging off.  
 
•
  Length —Data length in bytes, or length of the Pa cket body. If packet type is EAPOL-Start or 
EAPOL-Logoff, this field is set to 0, and no Packet body field follows. 
•   Pac ke t body —Content of the packet. When the EAPOL packet type is EAP-Packet, the Packet body 
field contains an EAP packet.  
EAP over RADIUS 
RADIUS adds two attributes,...

 82 
the authentication server does not support the multicast address, you must use an 802.1X client, the HP 
iNode 802.1X client for example, that can send broadcast EAPOL-Start packets. 
Access device as the initiator 
The access device initiates authentication, if a client, the 802.1X client available with Windows XP for 
example, cannot send EAPOL-Start packets. 
The access device supports the following modes:  
•   Multicast trigger mode —The access device multicasts Identi ty EAP-Request packets...

 83 
A comparison of EAP relay and EAP termination  
Packet exchange method  Benefits Limitations 
EAP relay 
• Supports various EAP 
authentication methods. 
• The configuration and processing is 
simple on the network access 
device  The RADIUS server must support the 
EAP-Message and 
Message-Authenticator attributes, 
and the EAP authentication method 
used by the client. 
EAP termination 
Works with any RADIUS server that 
supports PAP or CHAP authentication. 
•
 Supports only MD5-Challenge 
EAP...

 84 
Figure 42 802.1X authentication procedure in EAP relay mode 
 
 
1. When a user launches the 802.1X client software  and enters a registered username and password, 
the 802.1X client software sends an EAPOL- Start packet to the network access device.  
2. The network access device responds with an Id entity EAP-Request packet to ask for the client 
username. 
3.  In response to the Identity EAP-Request packet,  the client sends the username in an Identity 
EAP-Response packet to th e network access...

 85 
9.
 
The authentication server compares the received  encrypted password with the one it generated at 
step 5. If the two are identical,  the authentication server considers the client valid and sends a 
RADIUS Access-Accept packet to  the network access device. 
10. Upon receiving the RADIUS Access-Accept pac ket, the network access device sends an 
EAP-Success packet to the client, an d sets the controlled port in the authorized state so the client 
can access the network.  
11.  After the client...