HP A 5120 Manual

61 
# Configure bbb as the default ISP domain. Then, if a user enters a username without any ISP domain at 
login, the authentication and accounting methods of the default domain will be used for the user. 
[SwitchA] domain default enable bbb 
2. Configure the RADIUS server 
# Create RADIUS user aaa and enter its view. 
 system-view 
[SwitchB] radius-server user aaa 
# Configure simple-text password aabbcc for user aaa.  
[SwitchB-rdsuser-aaa] password simple aabbcc 
[SwitchB-rdsuser-aaa] quit 
# Specify...

62 
Symptom 2 
RADIUS packets cannot reach the RADIUS server. 
Analysis 
1. The communication link between the NAS and the RADIUS server is down (at the physical layer 
and data link layer). 
2. The NAS is not configured with the IP address of the RADIUS server. 
3. The UDP ports for authentication/authorization and accounting are not correct. 
4. The port numbers of the RADIUS server for authentication, authorization and accounting are being 
used by other applications. 
Solution 
Check that: 
1. The...

 
63 
802.1X fundamentals 
802.1X is a  port-based network access  control  protocol initially proposed  by the IEEE 802 LAN/WAN 
committee  for securing wireless  LANs  (WLANs),  and  it  has  also been widely used  on  Ethernet networks 
for access control.  
802.1X controls network access by authenticating the devices connected to 802.1X-enabled LAN ports. 
802.1X architecture 
802.1X  operates  in  the  client/server  model.  It  comprises  three entities: client (the  supplicant), network 
access...

 
64 
Figure 24 Authorization state of a controlled port 
 
 
In the unauthorized state, a controlled port controls traffic in one of the following ways: 
 Performs bidirectional traffic control to deny traffic to and from the client. 
 Performs unidirectional traffic control to deny traffic from the client.  
 NOTE: 
The HP switches support only unidirectional traffic control.  
802.1X-related protocols 
802.1X  uses  the  Extensible  Authentication  Protocol  (EAP)  to  transport  authentication...

 
65 
Figure 25 EAP packet format 
 
 Code: Type of the EAP packet. Options include Request (1), Response (2), Success (3), or Failure (4). 
 Identifier: Used for matching Responses with Requests. 
 Length:  Length (in  bytes) of  the  EAP  packet,  which  is  the  sum  of the  Code,  Identifier,  Length,  and 
Data fields. 
 Data: Content  of  the  EAP  packet. This  field appears  only  in  a  Request  or  Response  EAP  packet.  The 
field comprises the request type (or the response type) and the...

 
66 
 Packet  body: Content  of  the  packet. When  the  EAPOL  packet  type  is  EAP-Packet,  the  Packet  body 
field contains an EAP packet.  
EAP over RADIUS 
RADIUS adds  two attributes, EAP-Message and Message-Authenticator, for supporting EAP 
authentication. For the RADIUS packet format, see the chapter ―AAA configuration.‖ 
EAP-Message 
RADIUS  encapsulates  EAP  packets  in  the EAP-Message  attribute,  as  shown  in Figure  27.  The  Type  field 
takes 79, and the Value field can be up to...

 
67 
 Multicast  trigger  mode—The  access  device  multicasts  EAP-Request/Identify  packets  periodically 
(every 30 seconds by default) to initiate 802.1X authentication.  
 Unicast  trigger  mode—Upon  receiving  a  frame  with  the  source  MAC  address  not  in  the  MAC 
address  table,  the  access  device  sends  an EAP-Request/Identify  packet  out of the  receiving  port  to 
the  unknown  MAC  address. It  retransmits  the  packet  if  no  response  has  been  received  within  a...

 
68 
Packet exchange method Benefits Limitations 
EAP termination Works with any RADIUS server that 
supports PAP or CHAP authentication. 
 Supports only MD5-Challenge 
EAP authentication and the 
username + password EAP 
authentication initiated by an 
iNode 802.1X client. 
 The processing is complex on 
the network access device.  
 
EAP relay 
Figure  31 shows  the basic  802.1X  authentication  procedure  in  EAP  relay  mode,  assuming  that EAP-MD5 
is used. 
Figure 31 802.1X authentication...

 
69 
3. In response to the Identity EAP-Request packet, the client sends the username in an Identity EAP-
Response packet to the network access device.  
4. The network access device relays the Identity EAP-Response packet in a RADIUS Access-Request 
packet to the authentication server. 
5. The authentication server uses the identity information in the RADIUS Access-Request to search its 
user database. If a matching entry is found, the server uses a randomly generated challenge (EAP-
Request/MD5...

 
70 
Figure 32 802.1X authentication procedure in EAP termination mode 
 
 
In EAP termination mode,  it  is  the network  access  device rather  than  the  authentication  server generates 
an MD5 challenge for password encryption (see Step 4). The network access device then sends the MD5 
challenge together  with  the  username  and encrypted password in  a  standard  RADIUS  packet to  the 
RADIUS server.  
  EAPOLRADIUS
(1) EAPOL-Start
(2) EAP-Request / Identity
(3) EAP-Response / Identity
(4)...