HP A 5120 Manual

Download as PDF Print this page Share this page

Have a look at the manual HP A 5120 Manual online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 1114 HP manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

292

293

294

295

296

297

298

299

300

301

302

303

304

View all the pages

Add page 101 to Favourites

image text

Enable zoom

91
EAD fast deployment configuration
EAD fast deployment overview
Endpoint Admission Defense (EAD) is an HP integrated endpoint access control solution, which enables
the security client, security policy server, access device, and third-party server to work together to improve
the threat defensive capability of a network. If a terminal device seeks to access a network that deploys
EAD, it must have an EAD client, which performs 802.1X authentication.
EAD fast deployment enables the access device to redirect a user seeking to access the network to
download and install EAD client. This function eliminates the tedious job of the administrator to deploy
EAD clients.
EAD fast deployment implementation
EAD fast deployment is implemented by the following functions:
 Free IP
 URL redirection
Free IP
A free IP is a freely accessible network segment, which has a limited set of network resources such as
software and DHCP servers. An unauthenticated user can access only this segment to download EAD
client, obtain a dynamic IP address from a DHCP server, or perform some other tasks to be compliant
with the network security strategy.
URL redirection
If an unauthenticated 802.1X user is using a web browser to access the network, the EAD fast deployment
function redirects the user to a specified URL, for example, the EAD client software download page.
The server that provides the URL must be on the free IP accessible to unauthenticated users.
Configuring EAD fast deployment
Configuration prerequisites
 Enable 802.1X globally.
 Enable 802.1X on the port, and set the port authorization mode to auto.
Configuration procedure
Configuring a free IP
When a free IP is configured, the EAD fast deployment is enabled. To allow a user to obtain a dynamic IP
address before passing 802.1X authentication, make sure the DHCP server is on the free IP segment.
Follow these steps to configure a free IP:

Add page 102 to Favourites

image text

Enable zoom

92
To do… Use the command… Remarks
Enter system view system-view —
Configure a free Im dot1x free-ip ip-address { mask-
address | mask-length }
Required
By default, no free IP is
configured.

NOTE:
When global MAC authentication, Layer-2 portal authentication, or port security is enabled, the free IP
does not take effect.
Configuring the redirect URL
Follow these steps to configure a redirect URL:
To do… Use the command… Remarks
Enter system view system-view —
Configure the redirect URL dot1x url url-string
Required
By default, no redirect URL is
configured.

NOTE:
The redirect URL must be on the free IP subnet.
Setting the EAD rule timer
EAD fast deployment automatically creates an ACL rule, or an EAD rule, to open access to the redirect
URL for each redirected user seeking to access the network. The EAD rule timer sets the lifetime of each
ACL rule. When the timer expires or the user passes authentication, the rule is removed. If users fail to
download EAD client or fail to pass authentication before the timer expires, they must reconnect to the
network to access the free IP.
To prevent ACL rule resources from being used up, you can shorten the timer when the amount of EAD
users is large.
Follow these steps to set the EAD rule timer:
To do… Use the command… Remarks
Enter system view system-view —
Set the EAD rule timer dot1x timer ead-timeout ead-
timeout-value
Optional
The default timer is 30 minutes.

Displaying and maintaining EAD fast deployment
To do… Use the command… Remarks
Display 802.1X session
information, statistics, or
configuration information
display dot1x [ sessions | statistics ] [
interface interface-list ] [ | { begin |
exclude | include } regular-expression ]
Available in any view

Add page 103 to Favourites

image text

Enable zoom

93
EAD fast deployment configuration example
Network requirements
As shown in Figure 36, the hosts at the intranet 192.168.1.0/24 are attached to port GigabitEthernet
1/0/1 of the network access device, and they use DHCP to obtain IP addresses.
Deploy EAD solution for the intranet so that all hosts must pass 802.1X authentication to access the
network.
To allow all intranet users to install and update 802.1X client program from a web server, configure the
following:
 Allow unauthenticated users to access the segment of 192.168.2.0/24, and to obtain IP address on
the segment of 192.168.1.0/24 through DHCP.
 Redirect unauthenticated users to a preconfigured web page when the users use a web browser to
access any external network except 192.168.2.0/24. The web page allows users to download the
802.1X client program.
 Allow authenticated 802.1X users to access the network.
Figure 36 Network diagram for EAD fast deployment

NOTE:
In addition to the configuration on the access device, complete the following tasks:
 Configure the DHCP server so that the host can obtain an IP address on the segment of 192.168.1.0/24.
 Configure the web server so that users can log in to the web page to download 802.1X clients.
 Configure the authentication server to provide authentication, authorization, and accounting services.
Configuration procedure
1. Configure DHCP relay.
# Enable DHCP.
system-view GE1/0/210.1.1.10/24
GE1/0/1
Free IP:Web server192.168.2.3/24
Internet
192.168.1.0/24
Vlan-int 2192.168.1.1/24
192.168.2.0/24GE1/0/3192.168.2.1/24
DHCP server192.168.2.2/24
Authentication server cluster10.1.1.1/10.1.1.2

Add page 104 to Favourites

image text

Enable zoom

							 
94 
[Device] dhcp enable 
# Configure a DHCP server for a DHCP server group.  
[Device] dhcp relay server-group 1 ip 192.168.2.2 
# Enable the relay agent VLAN interface 2.  
[Device] interface vlan-interface 2 
[Device-Vlan-interface2] dhcp select relay 
# Correlate VLAN interface 2 to the DHCP server group.  
[Device-Vlan-interface2] dhcp relay server-select 1 
[Device-Vlan-interface2] quit 
2. Configure a RADIUS scheme and an ISP domain.  
For more information about configuration procedure, see the chapter ―802.1X configuration.‖ 
3. Configure 802.1X. 
# Configure the free IP. 
 system-view 
[Device] dot1x free-ip 192.168.2.0 24 
# Configure the redirect URL for client software download. 
[Device] dot1x url http://192.168.2.3 
# Enable 802.1X globally.  
[Device] dot1x 
# Enable 802.1X on the port.  
[Device] interface gigabitethernet 1/0/1 
[Device-GigabitEthernet1/0/1] dot1x 
Verification 
Use the display dot1x command to display the 802.1X configuration. After the host obtains an IP address 
from a DHCP server, use the ping command from the host to ping an IP address on the network segment 
specified by free IP.  
C:\>ping 192.168.2.3 
 
Pinging 192.168.2.3 with 32 bytes of data: 
 
Reply from 192.168.2.3: bytes=32 time

Add page 105 to Favourites

image text

Enable zoom

							 
95 
example,  3.3.3.3  or http://3.3.3.3.  The  external  website  address  should  not  be on  the freely accessible 
network segment. 
Troubleshooting EAD fast deployment 
Web browser users cannot be correctly redirected 
Symptom 
Unauthenticated  users  are not redirected  to  the  specified redirect URL  after  they  enter external website 
addresses in their web browsers. 
Analysis 
Redirection will not happen for one of the following reasons:  
 The  address is in  the  string  format. The  operating  system  of  the  host regards the  string  as a website 
name and tries to resolve it. If the resolution fails, the operating system sends an ARP request, but the 
target address  is  not  in  the  dotted  decimal  notation. The  redirection  function  does  redirect  this  kind 
of ARP request. 
 The  address is within  a  free  IP  segment.  No redirection  will  take  place, even  if no host is  present 
with the address. 
 The redirect URL is not in a free IP segment, no server is using the redirect URL, or the server with the 
URL does not provide web services. 
Solution 
 Enter a dotted decimal IP address that is not in any free IP segment.  
 Ensure that the network access device and the server are correctly configured.

Add page 106 to Favourites

image text

Enable zoom

96
MAC authentication configuration
MAC authentication overview
MAC authentication controls network access by authenticating source MAC addresses on a port. It does
not require client software. A user does not need to input a username and password for network access.
The device initiates a MAC authentication process when it detects an unknown source MAC address on a
MAC authentication enabled port. If the MAC address passes authentication, the user can access
authorized network resources. If the authentication fails, the device marks the MAC address as a silent
MAC address, drops the packet, and starts a quiet timer. The device drops all subsequent packets from
the MAC address within the quiet time. This quiet mechanism avoids repeated authentication during a
short time.
NOTE:
If the MAC address that has failed authentication is a static MAC address or a MAC address that has
passed any security authentication, the device does not mark it as a silent address.
User account policies
MAC authentication supports the following user account policies:
 One MAC-based user account for each user. The access device uses the source MAC addresses in
packets as the usernames and passwords of users for MAC authentication. This policy is suitable for
an insecure environment.
 One shared user account for all users. You specify one username and password, which are not
necessarily a MAC address, for all MAC authentication users on the access device. This policy is
suitable for a secure environment.
Authentication approaches
You can perform MAC authentication on the access device (local authentication) or through a Remote
Authentication Dial-In User Service (RADIUS) server.
Suppose a source MAC unknown packet arrives at a MAC authentication enabled port.
In the local authentication approach:
 If MAC-based accounts are used, the access device uses the source MAC address of the packet as
the username and password to search its local account database for a match.
 If a shared account is used, the access device uses the shared account username and password to
search its local account database for a match.
In the RADIUS authentication approach:
 If MAC-based accounts are used, the access device sends the source MAC address as the username
and password to the RADIUS server for authentication.
 If a shared account is used, the access device sends the shared account username and password to
the RADIUS server for authentication.

Add page 107 to Favourites

image text

Enable zoom

97
For more information about configuring local authentication and RADIUS authentication, see the chapter
―AAA configuration.‖
MAC authentication timers
MAC authentication uses the following timers:
 Offline detect timer—Sets the interval that the device waits for traffic from a user before it regards
the user idle. If a user connection has been idle for two consecutive intervals, the device logs the
user out and stops accounting for the user.
 Quiet timer—Sets the interval that the device must wait before it can perform MAC authentication for
a user that has failed MAC authentication. All packets from the MAC address are dropped during
the quiet time. This quiet mechanism prevents repeated authentication from affecting system
performance.
 Server timeout timer—Sets the interval that the access device waits for a response from a RADIUS
server before it regards the RADIUS server unavailable. If the timer expires during MAC
authentication, the user cannot access the network.
Using MAC authentication with other features
VLAN assignment
You can specify a VLAN in the user account for a MAC authentication user to control its access to
network resources. After the user passes MAC authentication, the authentication server, either the local
access device or a RADIUS server, assigns the VLAN to the port as the default VLAN. After the user logs
off, the initial default VLAN, or the default VLAN configured before any VLAN is assigned by the
authentication server, restores. If the authentication server assigns no VLAN, the initial default VLAN
applies.
NOTE:
 A hybrid port is always assigned to a server-assigned VLAN as an untagged member. After the assignment, do
not re-configure the port as a tagged member in the VLAN.
 If the port is a hybrid port with MAC-based VLAN enabled, the device maps the MAC address of each user to
the VLAN assigned by the authentication server. The default VLAN of the port does not change. When a user
logs off, the MAC-to-VLAN mapping for the user is removed.
ACL assignment
You can specify an ACL in the user account for a MAC authentication user to control its access to network
resources. After the user passes MAC authentication, the authentication server, either the local access
device or a RADIUS server, assigns the ACL to the access port to filter the traffic from this user. You must
configure the ACL on the access device for the ACL assignment function. You can change ACL rules when
the user is online.
Guest VLAN
You can configure a guest VLAN to accommodate MAC authentication users that have failed MAC
authentication on the port. Users in the MAC authentication guest VLAN can access a limited set of
network resources, such as a software server, to download anti-virus software and system patches. If no

Add page 108 to Favourites

image text

Enable zoom

98
MAC authentication guest VLAN is configured, the user that fails MAC authentication cannot access any
network resources.
If a user in the guest VLAN passes MAC authentication, it is removed from the guest VLAN and can
access all authorized network resources. If not, the user is still in the MAC authentication guest VLAN.
NOTE:
A hybrid port is always assigned to a guest VLAN as an untagged member. After the assignment, do
not re-configure the port as a tagged member in the VLAN.
MAC authentication configuration task list
Perform these tasks to configure MAC authentication:
Task Remarks
Basic configuration for MAC
authentication
Configuring MAC authentication
globally Required Configuring MAC authentication
on a port
Specifying an authentication domain for MAC authentication users Optional
Configuring a MAC authentication guest VLAN Optional

Basic configuration for MAC authentication
Configuration prerequisites
 Create and configure an authentication domain, also called an ISP domain.
 For local authentication, create local user accounts, and specify the lan-access service for the
accounts.
 For RADIUS authentication, check that the device and the RADIUS server can reach each other, and
create user accounts on the RADIUS server.
NOTE:
If you are using MAC-based accounts, ensure that the username and password for each account is the
same as the MAC address of the MAC authentication users.
Configuration procedure
MAC authentication can take effect on a port only when it is configured globally and on the port.
Configuring MAC authentication globally
Follow these steps to configure MAC authentication globally:
To do… Use the command… Remarks
Enter system view system-view —

Add page 109 to Favourites

image text

Enable zoom

							 
99 
To do… Use the command… Remarks 
Enable MAC authentication 
globally mac-authentication Required 
Disabled by default 
Configure MAC 
authentication timers 
mac-authentication timer { offline-
detect offline-detect-value | quiet quiet-
value | server-timeout server-timeout-
value } 
Optional 
By default, the offline detect timer 
is 300 seconds, the quiet timer is 
60 seconds, and the server 
timeout timer is 100 seconds. 
Configure the properties of 
MAC authentication user 
accounts 
mac-authentication user-name-format 
{ fixed [ account name ] [ password { 
cipher | simple } password ] | mac-
address [ { with-hyphen | without-
hyphen } [ lowercase | uppercase ] ] } 
Optional 
By default, the username and 
password for a MAC 
authentication user account must 
be a MAC address in lower case, 
and the MAC address is hyphen 
separated. 
 
Configuring MAC authentication on a port 
Follow these steps to configure MAC authentication on a port: 
To do… Use the command… Remarks 
Enter system view system-view — 
Enable MAC 
authentication for 
specified ports 
In system view mac-authentication interface 
interface-list Required 
Use either approach. 
Disabled by default In Layer 2 Ethernet 
interface view 
interface interface-type 
interface-number 
mac-authentication 
Set the maximum number of concurrent MAC 
authentication users allowed on a port 
mac-authentication max-user 
user-number 
Optional 
256 by default 
 
 NOTE: 
You cannot enable MAC authentication on a link aggregation member port. If MAC authentication is 
enabled on a port, you cannot assign it to a link aggregation.  
Specifying an authentication domain for MAC 
authentication users 
By  default,  MAC  authentication  users  are  in  the  system  default  authentication  domain.  To  implement 
different access policies for users, you can specify authentication domains for MAC authentication users: 
 Specify a global authentication domain in system view. This domain setting applies to all ports.  
 Specify an authentication domain for an individual port in interface view.

Add page 110 to Favourites

image text

Enable zoom

							 
100 
MAC  authentication  chooses  an authentication domain for  users  on  a  port in this  order:  the port-specific 
domain, the global domain, and the default domain. For more information about authentication domains, 
see the chapter ―AAA configuration.‖ 
Follow these steps to specify an authentication domain for MAC authentication users: 
To do… Use the command… Remarks 
Enter system view system-view — 
Specify an authentication 
domain for MAC 
authentication users 
mac-authentication domain domain-
name 
Required 
Use either approach 
By default, no authentication 
domain is specified and the 
system default authentication 
domain is used for MAC 
authentication users. 
interface interface-type interface-
number 
mac-authentication domain domain-
name 
 
Configuring a MAC authentication guest VLAN 
Configuration prerequisites 
Before you configure a MAC authentication guest VLAN on a port, complete the following tasks: 
 Enable MAC authentication. 
 Enable MAC-based VLAN on the port. 
 Create the VLAN to be specified as the MAC authentication guest VLAN.  
Configuration procedure 
Follow these steps to configure a MAC authentication guest VLAN: 
To do… Use the command… Remarks 
Enter system view system-view — 
Enter Layer 2 Ethernet 
interface view 
interface interface-type interface-
number — 
Configure a MAC 
authentication guest VLAN 
mac-authentication guest-vlan guest-
vlan-id 
Required 
By default, no MAC authentication 
guest VLAN is configured. 
You can configure only one MAC 
authentication guest VLAN on a 
port. 
 
Follow the guidelines in Table 8 when configuring a MAC authentication guest VLAN on a port.

All HP manuals Comments (0)