HP A 5120 Manual

							 
81 
Enabling the quiet timer 
The  quiet  timer  enables  the  network  access  device  to  wait  a  period  of  time  before  it  can  process  any 
authentication request from a client that has failed an 802.1X authentication.  
You  can  set  the  quiet  timer  to  a  high  value  in  a  vulnerable  network or  a  low  value  for  quicker 
authentication response.  
Follow these steps to enable the quiet timer: 
To do… Use the command… Remarks 
Enter system view system-view — 
Enable the quiet timer dot1x quiet-period Required 
Disabled by default 
Set the quiet timer dot1x timer quiet-period quiet-
period-value  
Optional 
The default is 60 seconds. 
 
Enabling the periodic online user re-authentication function 
Periodic  online  user  re-authentication  tracks the  connection  status  of  online  users  and  updates the 
authorization  attributes  assigned  by  the  server, such  as the ACL,  VLAN,  and user  profile-based  QoS.  The 
re-authentication interval is user configurable.  
Follow these steps to enable the periodic online user re-authentication function: 
To do… Use the command… Remarks 
Enter system view system-view — 
Set the periodic re-authentication 
timer 
dot1x timer reauth-period reauth-
period-value 
Optional 
The default is 3600 seconds.  
Enter Layer 2 Ethernet interface 
view 
interface interface-type interface-
number — 
Enable periodic online user re-
authentication dot1x re-authenticate Required 
Disabled by default 
 
The periodic online user re-authentication timer can also be set by the authentication server in the session-
timeout  attribute. The  server-assigned  timer overrides  the timer  setting  on  the  access  device,  and  enables 
periodic  online  user  re-authentication,  even  if the function  is  not  configured.  Support  for  the  server 
assignment of re-authentication timer and the re-authentication timer configuration on the server vary with 
servers.   
 NOTE: 
The VLAN assignment status must be consistent before and after re-authentication. If the authentication 
server has assigned a VLAN before re-authentication, it must also assign a VLAN at re-authentication. 
If the authentication server has assigned no VLAN before re-authentication, it must not assign one at re-
authentication. Violation of either rule can cause the user to be logged off. The VLANs assigned to an 
online user before and after re-authentication can be the same or different.   
						

							 
82 
Configuring an 802.1X guest VLAN 
Configuration guidelines 
Follow these guidelines when configuring an 802.1X guest VLAN: 
 You  can  configure  only  one  802.1X  guest  VLAN  on  a  port.  The  802.1X  guest  VLANs  on  different 
ports can be different. 
 Assign different IDs for the voice VLAN, the default VLAN, and the 802.1X guest VLAN on a port, so 
the port can correctly process incoming VLAN tagged traffic.  
 With  802.1X  authentication,  a  hybrid  port  is  always  assigned  to  a  VLAN  as  an  untagged  member. 
After the assignment, do not re-configure the port as a tagged member in the VLAN. 
 Use Table 6 when configuring multiple security features on a port. 
Table 6 Relationships of the 802.1X guest VLAN and other security features 
Feature Relationship description Reference 
MAC authentication guest VLAN 
on a port that performs MAC-
based access control 
Only the 802.1X guest VLAN take effect. 
A user that fails MAC authentication is not 
assigned to the MAC authentication guest 
VLAN. 
The chapter ―MAC 
authentication 
configuration‖ 
802.1X Auth-Fail VLAN on a port 
that performs MAC-based access 
control 
The 802.1X Auth-Fail VLAN has a higher 
priority 
The chapter ―802.1X 
configuration‖ 
Port intrusion protection on a port 
that performs MAC-based access 
control 
The 802.1X guest VLAN function has 
higher priority than the block MAC action 
but lower priority than the shut down port 
action of the port intrusion protection 
feature. 
The chapter ―Port security 
configuration‖ 
 
Configuration prerequisites 
 Create the VLAN to be specified as the 802.1X guest VLAN. 
 If the 802.1X-enabled port performs port-based access control, enable 802.1X multicast trigger. 
 If the 802.1X-enabled port performs MAC-based access  control, configure the port as a hybrid port, 
enable  MAC-based VLAN  on  the  port, and assign the  port  to the  802.1X  guest  VLAN  as an 
untagged member. For more information about the  MAC-based VLAN function, see the Layer  2—
LAN Switching Configuration Guide. 
Configuration procedure 
Follow these steps to configure an 802.1X guest VLAN: 
To do… Use the command… Remarks 
Enter system view system-view — 
Configure an 
802.1X guest 
VLAN for one 
or more ports 
In system view dot1x guest-vlan guest-vlan-id [ 
interface interface-list ] Required 
Use either approach. 
By default, no 802.1X guest 
VLAN is configured on any port. In Layer 2 
Ethernet 
interface interface-type interface-
number  
						

							 
83 
To do… Use the command… Remarks 
interface view 
dot1x guest-vlan guest-vlan-id 
 
Configuring an Auth-Fail VLAN 
Configuration guidelines 
Follow these guidelines when configuring an 802.1X Auth-Fail VLAN: 
 Assign different IDs for the voice VLAN, the default VLAN, and the 802.1X guest VLAN on a port, so 
the port can correctly process VLAN tagged incoming traffic. 
 You  can  configure  only  one  802.1X  Auth-Fail  VLAN  on  a  port.  The  802.1X  Auth-Fail  VLANs  on 
different ports can be different. 
 Use Table 7 when configuring multiple security features on a port. 
Table 7 Relationships of the 802.1X Auth-Fail VLAN with other features 
Feature Relationship description Reference 
MAC authentication guest VLAN 
on a port that performs MAC-
based access control 
The 802.1X Auth-Fail VLAN has a high 
priority. 
The chapter ―MAC 
authentication 
configuration‖ 
Port intrusion protection on a port 
that performs MAC-based access 
control 
The 802.1X Auth-Fail VLAN function has 
higher priority than the block MAC action 
but lower priority than the shut down port 
action of the port intrusion protection 
feature. 
The chapter ―Port Security 
configuration‖ 
 
Configuration prerequisites 
 Create the VLAN to be specified as the 802.1X Auth-Fail VLAN 
 If the 802.1X-enabled port performs port-based access control, enable 802.1X multicast trigger. 
 If the 802.1X-enabled port performs MAC-based access  control, configure the port as a hybrid port, 
enable  MAC-based VLAN  on  the  port,  and assign the  port  to the  Auth-Fail  VLAN  as an untagged 
member. For more  information  about  the MAC-based VLAN function, see the Layer  2—LAN 
Switching Configuration Guide. 
Follow these steps to configure an Auth-Fail VLAN: 
To do… Use the command… Remarks 
Enter system view system-view — 
Enter Layer 2 Ethernet interface 
view 
interface interface-type interface-
number — 
Configure the Auth-Fail VLAN on 
the port 
dot1x auth-fail vlan authfail-vlan-
id 
Required 
By default, no Auth-Fail VLAN is 
configured. 
  
						

							 
84 
Displaying and maintaining 802.1X 
To do… Use the command… Remarks 
Display 802.1X session 
information, statistics, or 
configuration information of 
specified or all ports 
display dot1x [ sessions | statistics ] [ 
interface interface-list ] [ | { begin | 
exclude | include } regular-expression ] 
Available in any view 
Clear 802.1X statistics reset dot1x statistics [ interface interface-
list ] Available in user view 
 
802.1X configuration examples 
802.1X authentication configuration example 
Network requirements 
As  shown  in Figure  33,  the  access  device  performs  802.1X  authentication  for  users  that connect  to  port 
GigabitEthernet 1/0/1. Implement MAC-based access control on the port, so the logoff of one user does 
not affect other online 802.1X users. 
Use  RADIUS  servers  to  perform  authentication,  authorization,  and  accounting  for  the  802.1X  users.  If 
RADIUS  authentication  fails,  perform  local  authentication  on  the  access  device.  If  RADIUS  accounting 
fails, the access device logs the user off. 
Configure  the  host  at 10.1.1.1 as  the  primary  authentication  and  accounting  servers,  and  the  host  at 
10.1.1.2 as  the secondary  authentication and accounting  servers. Assign  all users to the ISP domain 
aabbcc.net, which accommodates up to 30 users.  
Configure the  shared key as name for  packets  between  the  access device and the  authentication  server, 
and the shared key as money for packets between the access device and the accounting server. 
Figure 33 Network diagram for 802.1X authentication configuration 
 
 
Configuration procedure 
 
 NOTE: 
For information about the RADIUS commands used on the access device in this example, see the 
Security Command Reference. Internet
Device
Authenticator
Host192.168.1.2/24
GE1/0/1Vlan-int2192.168.1.1/24
RADIUS server clusterPrimary : 10.1.1.1/24Secondary: 10.1.1.2/24
SupplicantGE1/0/210.1.1.10/24  
						

							 
85 
 
1. Configure the 802.1X client. If iNode is used, do not select the Carry version info option in the 
client configuration. (Details not shown) 
2. Configure the RADIUS servers and add user accounts for the 802.1X users. (Details not shown) 
3. Configure user accounts for the 802.1X users on the access device.  
#  Add a local  user with  the  username localuser, and  password localpass in  plaintext.  (Make  sure  the 
username and password are the same as those configured on the RADIUS server.) 
 system-view 
[Device] local-user localuser 
[Device-luser-localuser] service-type lan-access 
[Device-luser-localuser] password simple localpass 
# Configure the idle cut function to log off any online user that has been idled for 20 minutes. 
[Device-luser-localuser] authorization-attribute idle-cut 20 
[Device-luser-localuser] quit 
4. Configure a RADIUS scheme. 
# Create the RADIUS scheme radius1 and enter its view. 
[Device] radius scheme radius1 
# Specify the IP addresses of the primary authentication and accounting RADIUS servers. 
[Device-radius-radius1] primary authentication 10.1.1.1 
[Device-radius-radius1] primary accounting 10.1.1.1 
# Configure the IP addresses of the secondary authentication and accounting RADIUS servers. 
[Device-radius-radius1] secondary authentication 10.1.1.2 
[Device-radius-radius1] secondary accounting 10.1.1.2 
# Specify the shared key between the access device and the authentication server. 
[Device-radius-radius1] key authentication name 
# Specify the shared key between the access device and the accounting server. 
[Device-radius-radius1] key accounting money 
# Exclude the ISP domain name from the username sent to the RADIUS servers. 
[Device-radius-radius1] user-name-format without-domain 
[Device-radius-radius1] quit  
 NOTE: 
The access device must use the same username format as the RADIUS server. If the RADIUS server 
includes the ISP domain name in the username, so must the access device.  
5. Configure the ISP domain. 
# Create the ISP domain aabbcc.net and enter its view. 
[Device] domain aabbcc.net 
# Apply the RADIUS  scheme radius1 to  the  ISP domain,  and specify local  authentication  as  the 
secondary authentication method. 
[Device-isp-aabbcc.net] authentication lan-access radius-scheme radius1 local 
[Device-isp-aabbcc.net] authorization lan-access radius-scheme radius1 local 
[Device-isp-aabbcc.net] accounting lan-access radius-scheme radius1 local 
# Set the maximum number of concurrent users in the domain to 30.  
						

							 
86 
[Device-isp-aabbcc.net] access-limit enable 30 
# Configure the idle cut function to log off any online domain user that has been idle for 20 minutes. 
[Device-isp-aabbcc.net] idle-cut enable 20 
[Device-isp-aabbcc.net] quit 
# Specify aabbcc.net as  the  default ISP domain. If  a  user  does  not  provide  any  ISP  domain  name,  it  is 
assigned to the default ISP domain.  
[Device] domain default enable aabbcc.net 
6. Configure 802.1X. 
# Enable 802.1X globally. 
[Device] dot1x 
# Enable 802.1X on port GigabitEthernet 1/0/1. 
[Device] interface gigabitethernet 1/0/1 
[Device-GigabitEthernet1/0/1] dot1x 
[Device-GigabitEthernet1/0/1] quit 
# Enable MAC-based  access  control on  the  port.  (Optional. MAC-based  access  control  is  the  default 
setting.) 
[Device] dot1x port-method macbased interface gigabitethernet 1/0/1 
Verification 
Use the display dot1x interface gigabitethernet 1/0/1 command to verify the 802.1X configuration. After 
an 802.1X user passes RADIUS authentication, you can use the display connection command to view the 
user connection information. If the user fails RADIUS authentication, local authentication is performed. 
802.1X with guest VLAN and VLAN assignment configuration 
example 
Network requirements 
As shown in Figure 34: 
 A host  is  connected  to  port GigabitEthernet  1/0/2 of  the  device  and  must  pass 802.1X 
authentication to access the Internet. GigabitEthernet 1/0/2 is in VLAN 1. 
 GigabitEthernet 1/0/2 implements port-based access control. 
 GigabitEthernet 1/0/3 is in VLAN 5 and is for accessing the Internet. 
 The authentication server runs RADIUS and is in VLAN 2.  
 The update server in VLAN 10 is for client software download and upgrade.  
 If no  user  passes  802.1X  authentication  on GigabitEthernet  1/0/2  within a  period  of  time  (90 
seconds  by  default),  the  device  adds GigabitEthernet  1/0/2 to  its  guest  VLAN,  VLAN 10. The  host 
and  the  update  server  are  both  in  VLAN  10 and the  host  can  access  the  update  server and 
download the 802.1X client software. 
 After  the  host  passes 802.1X authentication,  the  host  is assigned to  VLAN  5 where GigabitEthernet 
1/0/3 is. The host can access the Internet.  
						

							 
87 
Figure 34 Network diagram for 802.1X with guest VLAN and VLAN assignment configuration 
 
 
Configuration procedure 
 
 NOTE: 
The following configuration procedure covers most AAA/RADIUS configuration commands on the 
device. The configuration on the 802.1X client and RADIUS server are not shown. For more 
information about AAA/RADIUS configuration commands, see the Security Command Reference.  
1. Configure the 802.1X client. Make sure the client is able to update its IP address after the access 
port is assigned to the guest VLAN or a server-assigned VLAN. (Details not shown) 
2. Configure the RADIUS server to provide authentication, authorization, and accounting services. 
Configure user accounts and server-assigned VLAN, VLAN 5 in this example. (Details not shown) 
3. Create VLANs, and assign ports to the VLANs. 
 system-view 
[Device] vlan 1 
[Device-vlan1] port gigabitethernet 1/0/2 
[Device-vlan1] quit 
[Device] vlan 10 
[Device-vlan10] port gigabitethernet 1/0/1 
[Device-vlan10] quit 
[Device] vlan 2 
[Device-vlan2] port gigabitethernet 1/0/4 
[Device-vlan2] quit 
[Device] vlan 5 
[Device-vlan5] port gigabitethernet 1/0/3 Internet
Update serverAuthentication server
Host
VLAN 10GE1/0/1
VLAN 10GE1/0/2VLAN 5GE1/0/3
VLAN 2GE1/0/4
Device
Internet
Update serverAuthentication server
Host
VLAN 10GE1/0/1
VLAN 1GE1/0/2VLAN 5GE1/0/3
VLAN 2GE1/0/4
Device
Internet
Update serverAuthentication server
Host
VLAN 10GE1/0/1
VLAN 5GE1/0/2VLAN 5GE1/0/3
VLAN 2GE1/0/4
Device
Port added to the guest VLAN 
User gets online  
						

							 
88 
[Device-vlan5] quit 
4. Configure a RADIUS scheme. 
# Configure RADIUS scheme 2000 and enter its view. 
 system-view 
[Device] radius scheme 2000 
# Specify  primary  and  secondary authentication and accounting servers.  Set  the  shared  key to abc for 
authentication and accounting packets. 
[Device-radius-2000] primary authentication 10.11.1.1 1812 
[Device-radius-2000] primary accounting 10.11.1.1 1813 
[Device-radius-2000] key authentication abc 
[Device-radius-2000] key accounting abc 
# Exclude the ISP domain name from the username sent to the RADIUS server. 
[Device-radius-2000] user-name-format without-domain 
[Device-radius-2000] quit 
5. Configure an ISP domain. 
# Create ISP domain bbb and enter its view. 
[Device] domaim bbb 
# Apply RADIUS scheme 2000 to the ISP domain for authentication, authorization, and accounting. 
[Device-isp-bbb] authentication lan-access radius-scheme 2000 
[Device-isp-bbb] authorization lan-access radius-scheme 2000 
[Device-isp-bbb] accounting lan-access radius-scheme 2000 
[Device-isp-system] quit 
6. Configure 802.1X. 
# Enable 802.1X globally. 
[Device] dot1x 
# Enable 802.1X for port GigabitEthernet 1/0/2. 
[Device] interface gigabitethernet 1/0/2 
[Device-GigabitEthernet1/0/2] dot1x 
# Implement port-based access control on the port. 
[Device-GigabitEthernet1/0/2] dot1x port-method portbased 
# Set the port authorization mode to auto. 
[Device-GigabitEthernet1/0/2] dot1x port-control auto 
[Device-GigabitEthernet1/0/2] quit 
# Set VLAN 10 as the 802.1X guest VLAN for port GigabitEthernet 1/0/2. 
[Device] dot1x guest-vlan 10 interface gigabitethernet 1/0/2 
Verification 
Use  the display  dot1x  interface  gigabitethernet 1/0/2 command  to verify  the 802.1X guest  VLAN 
configuration on GigabitEthernet  1/0/2. If  no user  passes  authentication  on  the port  within a  specified 
period of time, use the display vlan 10 command to verify whether GigabitEthernet 1/0/2 is assigned to 
VLAN 10. 
After  a  user  passes  authentication,  you can  use  the display interface gigabitethernet 1/0/2 command  to 
verity that port GigabitEthernet 1/0/2 has been added to VLAN 5.  
						

							 
89 
802.1X with ACL assignment configuration example 
Network requirements 
As  shown  in Figure  35, the  host at 192.168.1.10 connects to  port GigabitEthernet  1/0/1 of  the network 
access device.  
Perform 802.1X authentication on  the  port. Use  the  RADIUS  server  at  10.1.1.1  as  the  authentication  and 
authorization  server  and  the  RADIUS  server  at  10.1.1.2  as  the  accounting  server.  Assign an  ACL  to 
GigabitEthernet 1/0/1 to deny 802.1X users to access the FTP server.  
Figure 35 Network diagram for ACL assignment 
 
 
 NOTE: 
The following configuration procedure provides the major AAA and RADIUS configuration on the 
access device. The configuration procedures on the 802.1X client and RADIUS server are beyond the 
scope of this configuration example. For information about AAA and RADIUS configuration 
commands, see the Security Command Reference.  
Configuration procedure 
1. Configure 802.1X client. Make sure the client is able to update its IP address after the access port 
is assigned to the 802.1X guest VLAN or a server-assigned VLAN. (Details not shown) 
2. Configure the RADIUS servers, user accounts, and authorization ACL, ACL 3000 in this example. 
(Details not shown) 
3. Configure the access device. 
# Assign IP addresses to interfaces. (Details not shown) 
# Configure the RADIUS scheme. 
 system-view 
[Device] radius scheme 2000 
[Device-radius-2000] primary authentication 10.1.1.1 1812 
[Device-radius-2000] primary accounting 10.1.1.2 1813 
[Device-radius-2000] key authentication abc 
[Device-radius-2000] key accounting abc 
[Device-radius-2000] user-name-format without-domain 
[Device-radius-2000] quit 
#  Create  an  ISP  domain  and specify  the  RADIUS  scheme  2000  as  the default AAA schemes for  the 
domain. Internet
DeviceHost
Authentication servers(RADIUS server cluster)
192.168.1.10
GE1/0/1Vlan-int2192.168.1.1/24FTP server10.0.0.1
10.1.1.1/10.1.1.2
GE1/0/2
GE1/0/3  
						

							 
90 
[Device] domain 2000 
[Device-isp-2000] authentication default radius-scheme 2000 
[Device-isp-2000] authorization default radius-scheme 2000 
[Device-isp-2000] accounting default radius-scheme 2000 
[Device-isp-2000] quit 
# Configure ACL 3000 to deny packets destined for the FTP server at 10.0.0.1. 
[Device] acl number 3000 
[Device-acl-adv-3000] rule 0 deny ip destination 10.0.0.1 0 
# Enable 802.1X globally.  
[Device] dot1x 
# Enable 802.1X on port GigabitEthernet 1/0/1. 
[Device] interface gigabitethernet 1/0/1 
[Device-GigabitEthernet1/0/1] dot1x 
Verification 
Use the user account to pass authentication. Then ping the FTP server. 
C:\>ping 10.0.0.1 
 
Pinging 10.0.0.1 with 32 bytes of data: 
 
Request timed out. 
Request timed out. 
Request timed out. 
Request timed out. 
 
Ping statistics for 10.0.0.1: 
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss), 
The output shows that ACL 3000 is valid. You cannot access the FTP server.