Home > HP > Printer > HP 5500 Ei 5500 Si Switch Series Configuration Guide

HP 5500 Ei 5500 Si Switch Series Configuration Guide

Add to Favourites
    Download as PDF

    Here you can view all the pages of manual HP 5500 Ei 5500 Si Switch Series Configuration Guide. The HP manuals for Printer are available online for free. You can easily download all the documents as PDF.

    Overview View all the pages Comments

    Page 1761

    Page 1761 96 Setting the maximum number of authentication request attempts The network access device retransmits an authentication request if it receives no response to the request it has sent to the client within a period of time (specified by using the dot1x timer tx-period tx-period-value command or the dot1x timer supp-timeout supp-timeout-value command). The network access device stops retransmitting the request, if it has made the maximum number of request transmission attempts but still... 
     96 
Setting the maximum number of authentication 
request attempts 
The network access device retransmits an authentication request if it receives no response to the request 
it has sent to the client within a period of time (specified by using the  dot1x timer tx-period 
tx-period-value  command or the  dot1x timer supp-timeout  supp-timeout-value  command). The network 
access device stops retransmitting the request, if it has made the maximum number of request 
transmission attempts but still...

    Page 1762

    Page 1762 97 of handshake attempts (set by the dot1x retry command) has been made, the network access device sets the user in the offline state. If iNode clients are deployed, you can also enable th e online handshake security function to check for 802.1X users that use illegal client software to bypass security inspection such as proxy detection and dual network interface cards (NICs) detection. This function checks the authentication information in client handshake messages. If a user fails the... 
     97 
of handshake attempts (set by the dot1x retry command) has been made, the network access device sets 
the user in the offline state. 
If iNode clients are deployed, you can also enable th e online handshake security function to check for 
802.1X users that use illegal client software to bypass security inspection such as proxy detection and 
dual network interface cards (NICs) detection. This  function checks the authentication information in 
client handshake messages. If a user fails the...

    Page 1763

    Page 1763 98 The identity request timeout timer sets both the identity request interval for the multicast trigger and the identity request timeout interval for the unicast trigger. Configuration guidelines Follow these guidelines when you configure the authentication trigger function: • Enable the multicast trigger on a port when the clients attached to the port cannot send EAPOL-Start packets to initiate 802.1X authentication. • Enable the unicast trigger on a port if only a few 802.1X clients are... 
     98 
The identity request timeout timer sets both the identity request interval for the multicast trigger and the 
identity request timeout interval for the unicast trigger.  
Configuration guidelines 
Follow these guidelines when you configure the authentication trigger function: 
•  Enable the multicast trigger on a port when the clients attached to the port cannot send EAPOL-Start 
packets to initiate 802.1X authentication.  
•   Enable the unicast trigger on a port if only a few 802.1X clients are...

    Page 1764

    Page 1764 99 Configuring the quiet timer The quiet timer enables the network access device to wait a period of time before it can process any authentication request from a client that has failed an 802.1X authentication. You can set the quiet timer to a high value in a vulnerable network or a low value for quicker authentication response. To configure the quiet timer: Step Command Remarks 1. Enter system view. system-view N/A 2. Enable the quiet timer. dot1x quiet-period By default, the timer... 
     99 
Configuring the quiet timer 
The quiet timer enables the network access device to wait a period of time before it can process any 
authentication request from a client that has failed an 802.1X authentication.  
You can set the quiet timer to a high value in a vulnerable network or a low value for quicker 
authentication response.  
To configure the quiet timer: 
 
Step Command Remarks 
1.  Enter system view. 
system-view  N/A 
2.  Enable the quiet timer.  dot1x quiet-period  By default, the timer...

    Page 1765

    Page 1765 100 Step Command Remarks 2. Set the periodic re-authentication timer. dot1x timer reauth-period reauth-period-value Optional. The default is 3600 seconds. 3. Enter Ethernet interface view. interface interface-type interface-number N/A 4. Enable periodic online user re-authentication. dot1x re-authenticate By default, the function is disabled. Configuring an 802.1X guest VLAN Configuration guidelines Follow these guidelines when you configure an 802.1X guest VLAN: • You can... 
     100 
Step Command Remarks 
2.  Set the periodic 
re-authentication timer.  dot1x timer reauth-period 
reauth-period-value
 Optional. 
The default is 3600 seconds.  
3.
  Enter Ethernet interface view.  interface
 interface-type 
interface-number   N/A 
4.
  Enable periodic online user 
re-authentication.  dot1x re-authenticate 
By default, the function is disabled. 
 
Configuring an 802.1X guest VLAN 
Configuration guidelines 
Follow these guidelines when you configure an 802.1X guest VLAN: 
•  You can...

    Page 1766

    Page 1766 101 • If the 802.1X-enabled port performs MAC-based acce ss control, configure the port as a hybrid port, enable MAC-based VLAN on the port, and assign the port to the 802.1X guest VLAN as an untagged member. For more information about the MAC-based VLAN function, see Layer 2 —LAN Switching Configuration Guide . Configuration procedure To configure an 802.1X guest VLAN: Step Command Remarks 1. Enter system view. system-view N/A 2. Configure an 802.1X guest VLAN for one or more ports.... 
     101 
•  If the 802.1X-enabled port performs MAC-based acce ss control, configure the port as a hybrid port, 
enable MAC-based VLAN on the port, and assign the port to the 802.1X guest VLAN as an 
untagged member. For more information about the MAC-based VLAN function, see  Layer 2
—LAN 
Switching Configuration Guide . 
Configuration procedure 
To configure an 802.1X guest VLAN:  
Step Command  Remarks 
1.  Enter system view. 
system-view  N/A 
2.  Configure an 802.1X 
guest VLAN for one 
or more ports....

    Page 1767

    Page 1767 102 Configuration prerequisites • Create the VLAN to be specified as the 802.1X Auth-Fail VLAN. • If the 802.1X-enabled port performs port-based access control, enable 802.1X multicast trigger (dot1x multicast-trigger ). • If the 802.1X-enabled port performs MAC-based acce ss control, configure the port as a hybrid port, enable MAC-based VLAN on the port, and assign the port to the Auth-Fail VLAN as an untagged member. For more information about the MAC-based VLAN function, see Layer 2... 
     102 
Configuration prerequisites 
•  Create the VLAN to be specified as the 802.1X Auth-Fail VLAN. 
•   If the 802.1X-enabled port performs port-based  access control, enable 802.1X multicast trigger 
(dot1x multicast-trigger ). 
•   If the 802.1X-enabled port performs MAC-based acce ss control, configure the port as a hybrid port, 
enable MAC-based VLAN on the port, and assign the port to the Auth-Fail VLAN as an untagged 
member. For more information about the MAC-based VLAN function, see  Layer 2...

    Page 1768

    Page 1768 103 Step Command Remarks 1. Enter system view. system-view N/A 2. Enter Layer 2 Ethernet interface view. interface interface-type interface-number N/A 3. Configure an 802.1X critical VLAN on the port. dot1x critical vlan vlan-id By default, no critical VLAN is configured. 4. Configure the port to trigger 802.1X authentication on detection of a reachable authentication server for users in the critical VLAN. dot1x critical recovery-action reinitialize Optional. By default,... 
     103 
Step Command Remarks 
1.  Enter system view. 
system-view  N/A 
2.  Enter Layer 2 Ethernet 
interface view.  interface 
interface-type 
interface-number   N/A 
3.
  Configure an 802.1X critical 
VLAN on the port.  dot1x critical vlan
 vlan-id   By default, no critical VLAN is 
configured. 
4.
  Configure the port to trigger 
802.1X authentication on 
detection of a reachable 
authentication server for users 
in the critical VLAN.  dot1x critical recovery-action 
reinitialize  Optional. 
By default,...

    Page 1769

    Page 1769 104 Task Command Remarks Display 802.1X session information, statistics, or configuration information of specified or all ports. display dot1x [ sessions | statistics ] [ interface interface-list ] [ | { begin | exclude | include } regular-expression ] Available in any view Clear 802.1X statistics. reset dot1x statistics [ interface interface-list ] Available in user view 802.1X authentication configuration example Network requirements As shown in Figure 44, the acces s device... 
     104 
Task Command  Remarks 
Display 802.1X session 
information, statistics, or 
configuration information of 
specified or all ports. display dot1x
 [ sessions | statistics ] 
[  interface interface-list ] [ |  { begin | exclude 
|  include  } regular-expression  ] Available in any view 
Clear 802.1X statistics.
 reset dot1x statistics 
[ interface  interface-list ]  Available in user view 
 
802.1X authentication configuration example 
Network requirements 
As shown in  Figure 44, the acces s device...

    Page 1770

    Page 1770 105 # Add a local user with the username localuser, and password localpass in plaintext. (Make sure the username and password are the same as those configured on the RADIUS server.) system-view [Device] local-user localuser [Device-luser-localuser] service-type lan-access [Device-luser-localuser] password simple localpass # Configure the idle cut function to log off any online user that has been idled for 20 minutes. [Device-luser-localuser] authorization-attribute idle-cut 20... 
     105 
# Add a local user with the username localuser, and password localpass in plaintext. (Make sure 
the username and password are the same as those configured on the RADIUS server.) 
 system-view 
[Device] local-user localuser 
[Device-luser-localuser] service-type lan-access 
[Device-luser-localuser] password simple localpass 
# Configure the idle cut function to log off any online user that has been idled for 20 minutes. 
[Device-luser-localuser] authorization-attribute idle-cut 20...
    Start reading HP 5500 Ei 5500 Si Switch Series Configuration Guide

    Related Manuals for HP 5500 Ei 5500 Si Switch Series Configuration Guide

    All HP manuals