HP A 5120 Manual

 
91 
EAD fast deployment configuration 
EAD fast deployment overview 
Endpoint  Admission  Defense (EAD) is an HP integrated endpoint  access  control solution,  which  enables 
the security client, security policy server, access device, and third-party server to work together to improve 
the  threat defensive capability  of  a  network. If a  terminal  device seeks to  access  a network  that  deploys 
EAD, it must have an EAD client, which performs 802.1X authentication. 
EAD  fast  deployment enables...

 
92 
To do… Use the command… Remarks 
Enter system view system-view — 
Configure a free Im dot1x free-ip ip-address { mask-
address | mask-length } 
Required 
By default, no free IP is 
configured. 
 
 NOTE: 
When global MAC authentication, Layer-2 portal authentication, or port security is enabled, the free IP 
does not take effect.  
Configuring the redirect URL 
Follow these steps to configure a redirect URL: 
To do… Use the command… Remarks 
Enter system view system-view — 
Configure the redirect...

 
93 
EAD fast deployment configuration example 
Network requirements 
As  shown  in Figure  36, the  hosts  at  the  intranet  192.168.1.0/24  are  attached  to  port GigabitEthernet 
1/0/1 of the network access device, and they use DHCP to obtain IP addresses.  
Deploy  EAD  solution for the  intranet so  that  all  hosts  must  pass  802.1X  authentication  to  access  the 
network.  
To  allow  all  intranet  users  to  install  and  update  802.1X  client  program  from  a  web  server,  configure...

 
94 
[Device] dhcp enable 
# Configure a DHCP server for a DHCP server group.  
[Device] dhcp relay server-group 1 ip 192.168.2.2 
# Enable the relay agent VLAN interface 2.  
[Device] interface vlan-interface 2 
[Device-Vlan-interface2] dhcp select relay 
# Correlate VLAN interface 2 to the DHCP server group.  
[Device-Vlan-interface2] dhcp relay server-select 1 
[Device-Vlan-interface2] quit 
2. Configure a RADIUS scheme and an ISP domain.  
For more information about configuration procedure, see the...

 
95 
example,  3.3.3.3  or http://3.3.3.3.  The  external  website  address  should  not  be on  the freely accessible 
network segment. 
Troubleshooting EAD fast deployment 
Web browser users cannot be correctly redirected 
Symptom 
Unauthenticated  users  are not redirected  to  the  specified redirect URL  after  they  enter external website 
addresses in their web browsers. 
Analysis 
Redirection will not happen for one of the following reasons:  
 The  address is in  the  string  format. The...

 
96 
MAC authentication configuration 
MAC authentication overview 
MAC  authentication controls  network  access  by  authenticating  source MAC addresses on a port. It does 
not require client  software. A  user  does  not  need  to  input  a  username  and password  for  network  access. 
The device initiates a MAC authentication process when it detects an unknown source MAC address on a 
MAC  authentication  enabled  port. If  the  MAC  address  passes  authentication,  the  user  can  access...

 
97 
For  more  information  about configuring  local  authentication  and RADIUS  authentication,  see  the  chapter 
―AAA configuration.‖ 
MAC authentication timers 
MAC authentication uses the following timers: 
 Offline  detect  timer—Sets  the interval  that the  device waits  for  traffic  from  a  user  before  it  regards 
the  user  idle.  If  a  user  connection  has  been  idle  for two consecutive  intervals,  the  device logs the 
user out and stops accounting for the user.  
 Quiet...

 
98 
MAC authentication guest VLAN is  configured,  the user that fails  MAC authentication cannot  access  any 
network resources.  
If a  user  in  the  guest  VLAN  passes  MAC  authentication,  it  is  removed  from  the  guest  VLAN  and  can 
access all authorized network resources. If not, the user is still in the MAC authentication guest VLAN.  
 NOTE: 
A hybrid port is always assigned to a guest VLAN as an untagged member. After the assignment, do 
not re-configure the port as a tagged member...

 
99 
To do… Use the command… Remarks 
Enable MAC authentication 
globally mac-authentication Required 
Disabled by default 
Configure MAC 
authentication timers 
mac-authentication timer { offline-
detect offline-detect-value | quiet quiet-
value | server-timeout server-timeout-
value } 
Optional 
By default, the offline detect timer 
is 300 seconds, the quiet timer is 
60 seconds, and the server 
timeout timer is 100 seconds. 
Configure the properties of 
MAC authentication user 
accounts...

 
100 
MAC  authentication  chooses  an authentication domain for  users  on  a  port in this  order:  the port-specific 
domain, the global domain, and the default domain. For more information about authentication domains, 
see the chapter ―AAA configuration.‖ 
Follow these steps to specify an authentication domain for MAC authentication users: 
To do… Use the command… Remarks 
Enter system view system-view — 
Specify an authentication 
domain for MAC 
authentication users 
mac-authentication domain...