HP A 5120 Manual

							 
101 
Table 8 Relationships of the MAC authentication guest VLAN with other security features 
Feature Relationship description Reference 
MAC authentication 
quiet function 
The MAC authentication guest VLAN 
function has higher priority. A user can 
access any resources in the guest VLAN.  
MAC authentication timers 
Port intrusion protection 
The MAC authentication guest VLAN 
function has higher priority than the block 
MAC action but lower priority than the shut 
down port action of the port intrusion 
protection feature.  
The chapter ―Port security 
configuration‖ 
802.1X guest VLAN on a 
port that performs MAC-
based access control 
The MAC authentication guest VLAN has a 
lower priority.  
The chapter ―802.1X 
configuration‖ 
 
Displaying and maintaining MAC authentication 
To do… Use the command… Remarks 
Display the MAC authentication 
related information 
display mac-authentication [ 
interface interface-list ] [ | { begin 
| exclude | include } regular-
expression ] 
Available in any view 
Clear the MAC authentication 
statistics 
reset mac-authentication statistics 
[ interface interface-list ] Available in user view 
 
MAC authentication configuration examples 
Local MAC authentication configuration example 
Network requirements 
In  the network in Figure  37, perform  local  MAC  authentication  on  port GigabitEthernet 1/0/1 to  control 
Internet access. Ensure that: 
 All users belong to domain aabbcc.net.  
 Local  users use their MAC address as the username  and password  for MAC authentication.  The 
MAC addresses are hyphen separated and in lower case. 
 The  access  device  detects  whether  a  user  has  gone  offline  every 180  seconds. When  a  user  fails 
authentication, the device does not authenticate the user within 180 seconds. 
Figure 37 Network diagram for local MAC authentication 
 
 IP networkGE1/0/1
Device
SupplicantAuthenticator
HostMAC: 00e0-fc12-3456    
						

							 
102 
Configuration procedure 
1. Configure local MAC authentication. 
# Add a local user account, set both the username and password to 00-e0-fc-12-34-56, the MAC address 
of the user host, and enable LAN access service for the account. 
 system-view 
[Device] local-user 00-e0-fc-12-34-56 
[Device-luser-00-e0-fc-12-34-56] password simple 00-e0-fc-12-34-56 
[Device-luser-00-e0-fc-12-34-56] service-type lan-access 
[Device-luser-00-e0-fc-12-34-56] quit 
# Configure ISP domain aabbcc.net, and perform local authentication for LAN access users. 
[Device] domain aabbcc.net 
[Device-isp-aabbcc.net] authentication lan-access local 
[Device-isp-aabbcc.net] quit 
# Enable MAC authentication globally. 
[Device] mac-authentication 
# Enable MAC authentication for port GigabitEthernet 1/0/1.  
[Device] mac-authentication interface gigabitethernet 1/0/1 
# Specify the ISP domain for MAC authentication. 
[Device] mac-authentication domain aabbcc.net 
# Set the MAC authentication timers. 
[Device] mac-authentication timer offline-detect 180 
[Device] mac-authentication timer quiet 180 
#  Configure MAC  authentication  to  use  MAC-based  accounts.  The MAC  address  usernames  and 
passwords are hyphenated and in lowercase. 
[Device] mac-authentication user-name-format mac-address with-hyphen lowercase 
2. Verify the configuration. 
# Display MAC authentication settings and statistics. 
 display mac-authentication 
MAC address authentication is enabled. 
 User name format is MAC address in lowercase, like xx-xx-xx-xx-xx-xx 
 Fixed username:mac 
 Fixed password:not configured 
          Offline detect period is 180s 
          Quiet period is 180s. 
          Server response timeout value is 100s 
          The max allowed user number is 1024 per slot 
          Current user number amounts to 1 
          Current domain is aabbcc.net 
Silent Mac User info: 
          MAC Addr         From Port                    Port Index 
Gigabitethernet1/0/1 is link-up 
  MAC address authentication is enabled 
  Authenticate success: 1, failed: 0 
 Max number of on-line users is 256  
						

							 
103 
  Current online user number is 1 
          MAC Addr         Authenticate state           Auth Index 
          00e0-fc12-3456   MAC_AUTHENTICATOR_SUCCESS     29 
#  After  the  user passes  authentication,  use  the display connection command  to  display  the  online  user 
information. 
 display connection 
 
Index=29  ,[email protected] 
MAC=00e0-fc12-3456 
IP=N/A 
IPv6=N/A 
 Total 1 connection(s) matched. 
RADIUS-based MAC authentication configuration example 
Network requirements 
As shown in Figure  38,  a host connects to  the  device  through  port  GigabitEthernet 1/0/1.  The  device 
uses RADIUS servers for authentication, authorization, and accounting.  
Perform MAC authentication on port GigabitEthernet 1/0/1 to control Internet access. Ensure that:  
 The device detects whether a user has gone offline every 180 seconds. If a user fails authentication, 
the device does not authenticate the user within 180 seconds. 
 All MAC  authentication users  belong  to  ISP  domain  2000 and  share  the  user  account aaa with 
password 123456. 
Figure 38 Network diagram for RADIUS-based MAC authentication 
 
 
Configuration procedure 
 
 NOTE: 
Ensure that the RADIUS server and the access device can reach each other. Create a shared account 
for MAC authentication users on the RADIUS server, and set the username aaa and password 123456 
for the account.  
1. Configure RADIUS-based MAC authentication on the device. 
# Configure a RADIUS scheme. 
 system-view 
[Device] radius scheme 2000 IP networkGE1/0/1
DeviceHost
RADIUS serversAuth:10.1.1.1            Acct:10.1.1.2    
						

							 
104 
[Device-radius-2000] primary authentication 10.1.1.1 1812 
[Device-radius-2000] primary accounting 10.1.1.2 1813 
[Device-radius-2000] key authentication abc 
[Device-radius-2000] key accounting abc 
[Device-radius-2000] user-name-format without-domain 
[Device-radius-2000] quit 
# Apply the RADIUS scheme to ISP domain 2000 for authentication, authorization, and accounting. 
[Device] domain 2000 
[Device-isp-2000] authentication default radius-scheme 2000 
[Device-isp-2000] authorization default radius-scheme 2000 
[Device-isp-2000] accounting default radius-scheme 2000 
[Device-isp-2000] quit 
# Enable MAC authentication globally. 
[Device] mac-authentication 
# Enable MAC authentication on port GigabitEthernet 1/0/1. 
[Device] mac-authentication interface gigabitethernet 1/0/1 
# Specify the ISP domain for MAC authentication. 
[Device] mac-authentication domain 2000 
# Set the MAC authentication timers. 
[Device] mac-authentication timer offline-detect 180 
[Device] mac-authentication timer quiet 180 
# Specify username aaa and password 123456 for the account shared by MAC authentication users.  
[Device] mac-authentication user-name-format fixed account aaa password simple 123456 
2. Verify the configuration. 
# Display MAC authentication settings and statistics. 
 display mac-authentication 
MAC address authentication is enabled. 
User name format is fixed account 
 Fixed username:aaa 
 Fixed password:123456 
          Offline detect period is 180s 
          Quiet period is 180s. 
          Server response timeout value is 100s 
          The max allowed user number is 1024 per slot 
          Current user number amounts to 1 
          Current domain is 2000 
Silent Mac User info: 
         MAC ADDR               From Port           Port Index 
Gigabitethernet1/0/1 is link-up 
  MAC address authentication is enabled 
  Authenticate success: 1, failed: 0 
 Max number of on-line users is 256 
  Current online user number is 1 
    MAC ADDR         Authenticate state           Auth Index 
    00e0-fc12-3456   MAC_AUTHENTICATOR_SUCCESS     29  
						

							 
105 
#  After  the  user  passes  authentication,  use  the display connection command  to  display  the  online  user 
information. 
 display connection 
 
Index=29  ,Username=aaa@2000 
MAC=00e0-fc12-3456 
IP=N/A 
IPv6=N/A 
 Total 1 connection(s) matched. 
ACL assignment configuration example 
Network requirements 
As  shown  in Figure  39,  a  host  connects to the  device’s port GigabitEthernet  1/0/1, and the  device 
performs RADIUS servers for authentication, authorization, and accounting. 
Perform  MAC  authentication  on  port GigabitEthernet  1/0/1  to  control  Internet  access.  Ensure  that  an 
authenticated user can access the Internet but the FTP server at 10.0.0.1.  
Use  MAC-based  user  accounts  for  MAC  authentication users.  The  MAC  addresses  are  hyphen  separated 
and in lower case. 
Figure 39 Network diagram for ACL assignment 
 
 
Configuration procedure 
 
 NOTE: 
Check that the RADIUS server and the access device can reach each other.  
1. Configure the ACL assignment. 
# Configure ACL 3000 to deny packets destined for 10.0.0.1. 
 system-view 
[Sysname] acl number 3000 
[Sysname-acl-adv-3000] rule 0 deny ip destination 10.0.0.1 0 
[Sysname-acl-adv-3000] quit 
2. Configure RADIUS-based MAC authentication on the device. 
# Configure the RADIUS scheme. 
[Sysname] radius scheme 2000 Internet
SwitchHost192.168.1.10
GE1/0/1
FTP server10.0.0.1
RADIUS serversAuth:10.1.1.1            Acct:10.1.1.2  
						

							 
106 
[Sysname-radius-2000] primary authentication 10.1.1.1 1812 
[Sysname-radius-2000] primary accounting 10.1.1.2 1813 
[Sysname-radius-2000] key authentication abc 
[Sysname-radius-2000] key accounting abc 
[Sysname-radius-2000] user-name-format without-domain 
[Sysname-radius-2000] quit 
# Apply the RADIUS scheme to an ISP domain for authentication, authorization, and accounting. 
[Sysname] domain 2000 
[Sysname-isp-2000] authentication default radius-scheme 2000 
[Sysname-isp-2000] authorization default radius-scheme 2000 
[Sysname-isp-2000] accounting default radius-scheme 2000 
[Sysname-isp-2000] quit 
# Enable MAC authentication globally.  
[Sysname] mac-authentication 
# Specify the ISP domain for MAC authentication users. 
[Sysname] mac-authentication domain 2000 
# Configure the device to use MAC-based user accounts, and the MAC addresses are hyphen separated 
and in lowercase. 
[Sysname] mac-authentication user-name-format mac-address with-hyphen lowercase 
# Enable MAC authentication for port GigabitEthernet 1/0/1. 
[Sysname] interface gigabitethernet 1/0/1 
[Sysname-GigabitEthernet1/0/1] mac-authentication 
3. Configure the RADIUS servers. 
# Add a user account with 00-e0-fc-12-34-56 as both the username and password on the RADIUS server, 
and specify ACL 3000 as the server-assigned ACL for the user account. (Details not shown) 
4. Verify the configuration. 
After the  host  passes  authentication, perform  the display connection command  on  the  device  to  view  the 
online user information. 
[Sysname-GigabitEthernet1/0/1] display connection 
 
Index=9   , Username=00-e0-fc-12-34-56@2000 
 IP=N/A 
 IPv6=N/A 
 MAC=00e0-fc12-3456 
 
Total 1 connection(s) matched. 
Ping  the  FTP  server  from  the  host  to verify that ACL  3000 has  been assigned to  port  GigabitEthernet 
1/0/1 to deny access to FTP server. 
C:\>ping 10.0.0.1 
 
Pinging 10.0.0.1 with 32 bytes of data: 
 
Request timed out. 
Request timed out. 
Request timed out.  
						

							 
107 
Request timed out. 
 
Ping statistics for 10.0.0.1: 
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),  
						

							 
108 
Portal configuration 
Portal overview 
Introduction to portal 
Portal  authentication helps  control  access  to  the  Internet.  Portal  authentication is  also  called ―web 
authentication‖. A website implementing portal authentication is called a portal website. 
With portal authentication, an access device redirects all users to the portal authentication page. All users 
can  access  the  free  services  provided  on  the portal  website;  but  to  access  the  Internet, a user  must  pass 
portal authentication.  
A  user can  access  a known portal  website and enter a username  and  password for  authentication.  This 
authentication  mode  is  called  active  authentication. There  is  another  authentication  mode, forced 
authentication,  in  which  the  access  device  forces  a  user who  is trying  to  access  the  Internet  through 
Hypertext Transfer Protocol (HTTP) to log on to a portal website for authentication. 
The  portal feature  provides  the  flexibility  for  Internet  service  providers  (ISPs)  to  manage  services.  A  portal 
website  can,  for  example,  present  advertisements and  deliver community  and  personalized  services.  In 
this  way, broadband  network providers,  equipment vendors,  and  content service providers  form  an 
industrial ecological system. 
Extended portal functions 
By forcing  users  to implement patching  and  anti-virus  policies,  extended  portal functions help  users  to 
defend against viruses. The main extended functions are described as follows: 
 Security check: Works after identity authentication succeeds to check whether the required anti-virus 
software,  virus  definition file, and operating  system  (OS) patches are  installed,  and whether  there  is 
any unauthorized software installed on the user host. 
 Resource access restriction: A user passing identity authentication can access only network resources 
in  the  quarantined  area,  such  as the anti-virus  server and patch  server.  Only  users  passing both 
identity authentication and security check can access restricted network resources. 
Portal system components 
As  shown  in Figure  40,  a  typical  portal  system  consists  of five basic components: authentication  client, 
access device, portal server, authentication/accounting server, and security policy server.  
						

							 
109 
Figure 40 Portal system components 
  
Authentication client 
An authentication  client  is  an  entity  seeking  access  to  network  resources.  It  is  typically  an  end-user 
terminal,  such  as  a  PC.  The client can  use  a  browser  or a  portal  client  software  for portal  authentication. 
Client  security  check is  implemented  through communications  between  the  client  and  the  security  policy 
server.  
Access device 
An access  device  controls user access.  It  can  be  a switch  or  router that provides  the  following  three 
functions: 
 Redirecting all  HTTP  requests from unauthenticated users in authentication subnets to  the  portal 
server. 
 Interacting with  the  portal  server,  security  policy  server  and  authentication/accounting server for 
identity authentication, security check, and accounting. 
 Allowing  users who  have  passed  identity  authentication  and  security  check to  access granted 
Internet resources. 
Portal server 
A portal  server listens  to authentication  requests  from authentication clients and  exchanges  client 
authentication  information  with  the  access  device. It provides  free  portal  services  and pushes web 
authentication pages to users. 
Authentication/accounting server 
An authentication/accounting  server implements  user  authentication  and  accounting  through  interaction 
with the access device. 
Security policy server 
A security  policy  server interacts  with authentication clients  and  access  devices  for security  check and 
resource authorization. 
The five components interact in the following procedure: 
1. When an unauthenticated user enters a website address in the browser’s address bar to access the 
Internet, an HTTP request is created and sent to the access device, which redirects the HTTP request Authentication client
Authentication/accounting server
Security policy server
Access devicePortal serverAuthentication client
Authentication client           
						

							 
110 
to the portal server’s web authentication homepage. For extended portal functions, authentication 
clients must run the portal client software. 
2. On the authentication homepage/authentication dialog box, the user enters and submits the 
authentication information, which the portal server then transfers to the access device.  
3. Upon receipt of the authentication information, the access device communicates with the 
authentication/accounting server for authentication and accounting.  
4. After successful authentication, the access device checks whether there is a security policy for the 
user. If not, it allows the user to access the Internet. Otherwise, the client communicates with the 
access device and security policy server for security check. If the client passes security check, the 
security policy server authorizes the user to access the Internet resources.  
 NOTE: 
 An authentication client uses its IP address as its ID. To avoid authentication failures due to address translations, 
make sure that there is no Network Address Translation (NAT) device between the authentication client, access 
device, portal server, and authentication/accounting server when deploying portal authentication. 
 Only a RADIUS server can serve as the remote authentication/accounting server in a portal system. 
 To implement security check, the client must be the iNode client.  
Portal system using the local portal server 
System components 
In  addition  to  use  a  separate  device  as  the  portal  server,  a  portal  system  can  also  use  the local portal 
server  function  of the  access  device  to authenticate web  users  directly.  In  this  case,  the  portal  system 
consists  of  only  three  components:  authentication  client,  access  device,  and  authentication/accounting 
server, as shown in Figure 41.  
Figure 41 Portal system using the local portal server 
 
 
 NOTE: 
 A portal system using the local portal server does not support extended portal functions. You do not need to 
configure any security policy server for it. 
 The local portal server function of the access device implements only some simple portal server functions. It only 
allows users to log on and log off through the web interface. It cannot completely take the place of an 
independent portal server.  
Protocols used for interaction between the client and local portal server 
HTTP  and  HTTPS can  be used  for  interaction  between an authentication  client  and an access  device 
providing the  local  portal  server function.  If  HTTP is  used,  there  are  potential  security  problems  because 
HTTP  packets  are  transferred  in  plain  text;  if  HTTPS is  used, secure data transmission is  ensured  because 
HTTPS packets are transferred in cipher text based on SSL. Authentication clientAuthentication/accounting serverAccess device with embedded portal server