Home > HP > Printer > HP 5500 Ei 5500 Si Switch Series Configuration Guide

HP 5500 Ei 5500 Si Switch Series Configuration Guide

Add to Favourites
    Download as PDF

    Here you can view all the pages of manual HP 5500 Ei 5500 Si Switch Series Configuration Guide. The HP manuals for Printer are available online for free. You can easily download all the documents as PDF.

    Overview View all the pages Comments

    Page 1751

    Page 1751 86 EAP termination Figure 43 shows the basic 802.1X authentication procedure in EAP termination mode, assuming that CHAP authentication is used. Figure 43 802.1X authentication procedure in EAP termination mode In EAP termination mode, it is the network access device rather than the authentication server generates an MD5 challenge for password encryption (see Step 4). The network access device then sends the MD5 challenge together with the username and encrypted password in a standard... 
     86 
EAP termination 
Figure 43 shows the basic 802.1X authentication procedure in EAP termination mode, assuming that 
CHAP authentication is used.  
Figure 43  802.1X authentication procedure in EAP termination mode 
 
 
In EAP termination mode, it is the network access device rather than the authentication server generates 
an MD5 challenge for password encryption (see Step 4). The network access device then sends the MD5 
challenge together with the username and encrypted password in a standard...

    Page 1752

    Page 1752 87 Configuring 802.1X This chapter describes how to configure 802.1X on an HP device. You can also configure the port security feature to perform 802.1X. Port security combines and extends 802.1X and MAC authentication. It applies to a network that requires different authentication methods for different users on a port. Port security is beyond the scope of this chapter. It is described in Configuring port security . HP implementation of 802.1X Access control methods HP implements port-based... 
     87 
Configuring 802.1X 
This chapter describes how to configure 802.1X on an HP device.  
You can also configure the port security feature to perform 802.1X. Port security combines and extends 
802.1X and MAC authentication. It applies to a network that requires different authentication methods 
for different users on a port. Port security is beyond the scope of this chapter. It is described in 
 Configuring port security . 
HP implementation of 802.1X 
Access control methods 
HP implements port-based...

    Page 1753

    Page 1753 88 With 802.1X authentication, a hybrid port is always assigned to a VLAN as an untagged member. After the assignment, do not re-configure the port as a tagged member in the VLAN. On a periodic online user re-authentication enabled port, if a user has been online before you enable the MAC-based VLAN function, the access device does not create a MAC-to-VLAN mapping for the user unless the user passes re-authentication and the VLAN for the user has changed. Guest VLAN You can configure a guest... 
     88 
With 802.1X authentication, a hybrid port is always assigned to a VLAN as an untagged member. After 
the assignment, do not re-configure the port as a tagged member in the VLAN.  
On a periodic online user re-authentication enabled port, if a user has been online before you enable the 
MAC-based VLAN function, the access device does not create a MAC-to-VLAN mapping for the user 
unless the user passes re-authentication and the VLAN for the user has changed. 
Guest VLAN 
You can configure a guest...

    Page 1754

    Page 1754 89 Authentication status VLAN manipulation A user in the 802.1X guest VLAN passes 802.1X authentication Re-maps the MAC address of the user to the VLAN specified for the user. If the authentication server assigns no VLAN, re-maps the MAC address of the user to the initial PVID on the port. NOTE: The network device assigns a hybrid port to an 802.1X guest VLAN as an untagged member. Auth-Fail VLAN You can configure an Auth-Fail VLAN to accommodate users that have failed 802.1X... 
     89 
Authentication status  VLAN manipulation 
A user in the 802.1X guest 
VLAN passes 802.1X 
authentication Re-maps the MAC address of the user to
 the VLAN specified for the user.  
If the authentication server assigns no  VLAN, re-maps the MAC address of the 
user to the initial PVID on the port.  
 
  NOTE: 
The network device assigns a hybrid port to an  802.1X guest VLAN as an untagged member.  
 
Auth-Fail VLAN 
You can configure an Auth-Fail VLAN to accommodate users that have failed 802.1X...

    Page 1755

    Page 1755 90 Authentication status VLAN manipulation A user in the Auth-Fail VLAN fails 802.1X re-authentication The user is still in the Auth-Fail VLAN. A user in the Auth-Fail VLAN passes 802.1X authentication Re-maps the MAC address of the use r to the server-assigned VLAN. If the authentication server assigns no VLAN, re-maps the MAC address of the user to the initial PVID on the port. NOTE: The network device assigns a hybrid port to an 802.1X Auth-Fail VLAN as an untagged member.... 
     90 
Authentication status VLAN manipulation 
A user in the Auth-Fail VLAN fails 802.1X 
re-authentication  The user is still in the Auth-Fail VLAN. 
A user in the Auth-Fail VLAN passes 
802.1X authentication Re-maps the MAC address of the use
r to the server-assigned VLAN.  
If the authentication server assigns no VLAN, re-maps the MAC 
address of the user to the initial PVID on the port.  
 
  NOTE: 
The network device assigns a hybrid port to an  802.1X Auth-Fail VLAN as an untagged member....

    Page 1756

    Page 1756 91 Authentication status VLAN manipulation A user in the 802.1X guest VLAN or the Auth-Fail VLAN fails authentication because all the RADIUS servers is reachable. The PVID of the port remains unchanged. All 802.1X users on this port can access only resources in the guest VLAN or the Auth-Fail VLAN. 2. On a port that performs MAC-based access control To perform the 802.1X critical VLAN function on a port that performs MAC-based access control, you must make sure that the port is a hybrid... 
     91 
Authentication status VLAN manipulation 
A user in the 802.1X guest VLAN or the 
Auth-Fail VLAN fails authentication because 
all the RADIUS servers is reachable.  The PVID of the port remains unchanged. All 802.1X users on 
this port can access only resources in the guest VLAN or the 
Auth-Fail VLAN. 
 
2.
 On a port that performs  MAC-based access control 
To perform the 802.1X critical VLAN function on a  port that performs MAC-based access control, you 
must make sure that the port is a hybrid...

    Page 1757

    Page 1757 92 • The RADIUS server probing function detects that a RADIUS authentication server is reachable and sets its state to active. You can use the dot1x critical recovery-action reinitialize command to configure the port to trigger 802.1X re-authentication when the port or an 802.1X us er on the port is removed from the critical VLAN. • If MAC-based access control is used, the port se nds a unicast Identity EAP/Request to the 802.1X user to trigger authentication. • If port-based access... 
     92 
•  The RADIUS server probing function detects that a RADIUS authentication server is reachable and 
sets its state to active.  
You can use the dot1x critical recovery-action reinitialize  command to configure the port to trigger 
802.1X re-authentication when the port or an 802.1X us er on the port is removed from the critical VLAN.   
•   If MAC-based access control is used, the port se nds a unicast Identity EAP/Request to the 802.1X 
user to trigger authentication.  
•   If port-based access...

    Page 1758

    Page 1758 93 Enabling 802.1X Configuration guidelines • If the PVID of a port is a voice VLAN, the 802.1X function cannot take effect on the port. For more information about voice VLANs, see Layer 2 —LAN Switching Configuration Guide. • 802.1X is mutually exclusive with link aggregation and service loopback group configuration on a port. • Do not use the BPDU drop feature on an 802.1X-enabled port. The BPDU drop feature discards 802.1X packets arrived on the port. • On an 802.1X and MAC... 
     93 
 
Enabling 802.1X 
Configuration guidelines 
•  If the PVID of a port is a voice VLAN, the 802.1X function cannot take effect on the port. For more 
information about voice VLANs, see  Layer 2
—LAN Switching Configuration Guide.  
•   802.1X is mutually exclusive with link aggregation and service loopback group configuration on a 
port. 
•   Do not use the BPDU drop feature on an 802.1X-enabled port. The BPDU drop feature discards 
802.1X packets arrived on the port. 
•   On an 802.1X and MAC...

    Page 1759

    Page 1759 94 Step Command Remarks 1. Enter system view. system-view N/A 2. Configure EAP relay or EAP termination. dot1x authentication-method { chap | eap | pap } Optional. By default, the network access device performs EAP termination and uses CHAP to communicate with the RADIUS server. Specify the eap keyword to enable EAP termination. Specify the chap or pap keyword to enable CHAP-enabled or PAP-enabled EAP relay. NOTE: If EAP relay mode is used, the user-name-format command... 
     94 
Step Command Remarks 
1.  Enter system view. 
system-view  N/A 
2.  Configure EAP relay or 
EAP termination.  dot1x
 authentication-method 
{  chap  | eap  | pap  }  Optional. 
By default, the network access device 
performs EAP termination and uses CHAP to 
communicate with the RADIUS server.  
Specify the 
eap keyword to enable EAP 
termination.  
Specify the  chap or pap keyword to enable 
CHAP-enabled or PAP-enabled EAP relay.  
 
  NOTE: 
If EAP relay mode is used, the  user-name-format command...

    Page 1760

    Page 1760 95 Specifying an access control method You can specify an access control method for one port in Ethernet interface view, or for multiple ports in system view. If different access control methods are specified for a port in system view and Ethernet interface view, the one specified later takes effect. To use both 802.1X and portal authentication on a port, you must specify MAC-based access control. For information about portal authentication, see Configuring portal authentication. T o specify... 
     95 
Specifying an access control method 
You can specify an access control method for one port in Ethernet interface view, or for multiple ports in 
system view. If different access control methods are  specified for a port in system view and Ethernet 
interface view, the one specified later takes effect. 
To use both 802.1X and portal authentication on a  port, you must specify MAC-based access control. For 
information about portal authentication, see  Configuring portal authentication. 
T

o specify...
    Start reading HP 5500 Ei 5500 Si Switch Series Configuration Guide

    Related Manuals for HP 5500 Ei 5500 Si Switch Series Configuration Guide

    All HP manuals