HP A 5120 Manual

Download as PDF Print this page Share this page

Have a look at the manual HP A 5120 Manual online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 1114 HP manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

292

293

294

295

296

297

298

299

300

301

302

303

304

View all the pages

Add page 71 to Favourites

image text

Enable zoom

61
# Configure bbb as the default ISP domain. Then, if a user enters a username without any ISP domain at
login, the authentication and accounting methods of the default domain will be used for the user.
[SwitchA] domain default enable bbb
2. Configure the RADIUS server
# Create RADIUS user aaa and enter its view.
system-view
[SwitchB] radius-server user aaa
# Configure simple-text password aabbcc for user aaa.
[SwitchB-rdsuser-aaa] password simple aabbcc
[SwitchB-rdsuser-aaa] quit
# Specify the IP address of the RADIUS client as 10.1.1.1 and the shared key as abc.
[SwitchB] radius-server client-ip 10.1.1.1 key abc
Verification
After entering username aaa@bbb or aaa and password aabbcc, user aaa can telnet to Switch A. Use
the display connection command to view the connection information on Switch A.
display connection

Index=1 ,Username=aaa@bbb
IP=192.168.1.2
IPv6=N/A
Total 1 connection(s) matched.
Troubleshooting AAA
Troubleshooting RADIUS
Symptom 1
User authentication/authorization always fails.
Analysis
1. A communication failure exists between the NAS and the RADIUS server.
2. The username is not in the format of userid@isp-name or no default ISP domain is specified for the
NAS.
3. The user is not configured on the RADIUS server.
4. The password entered by the user is incorrect.
5. The RADIUS server and the NAS are configured with different shared key.
Solution
Check that:
1. The NAS and the RADIUS server can ping each other.
2. The username is in the userid@isp-name format and a default ISP domain is specified on the NAS.
3. The user is configured on the RADIUS server.
4. The correct password is entered.
5. The same shared key is configured on both the RADIUS server and the NAS.

Add page 72 to Favourites

image text

Enable zoom

62
Symptom 2
RADIUS packets cannot reach the RADIUS server.
Analysis
1. The communication link between the NAS and the RADIUS server is down (at the physical layer
and data link layer).
2. The NAS is not configured with the IP address of the RADIUS server.
3. The UDP ports for authentication/authorization and accounting are not correct.
4. The port numbers of the RADIUS server for authentication, authorization and accounting are being
used by other applications.
Solution
Check that:
1. The communication links between the NAS and the RADIUS server work well at both physical and
link layers.
2. The IP address of the RADIUS server is correctly configured on the NAS.
3. UDP ports for authentication/authorization/accounting configured on the NAS are the same as
those configured on the RADIUS server.
4. The port numbers of the RADIUS server for authentication, authorization and accounting are
available.
Symptom 3
A user is authenticated and authorized, but accounting for the user is not normal.
Analysis
1. The accounting port number is not correct.
2. Configuration of the authentication/authorization server and the accounting server are not correct
on the NAS. For example, one server is configured on the NAS to provide all the services of
authentication/authorization and accounting, but in fact the services are provided by different
servers.
Solution
Check that:
1. The accounting port number is correctly set.
2. The authentication/authorization server and the accounting server are correctly configured on the
NAS.
Troubleshooting HWTACACS
Similar to RADIUS troubleshooting. See ―Troubleshooting RADIUS.―

Add page 73 to Favourites

image text

Enable zoom

63
802.1X fundamentals
802.1X is a port-based network access control protocol initially proposed by the IEEE 802 LAN/WAN
committee for securing wireless LANs (WLANs), and it has also been widely used on Ethernet networks
for access control.
802.1X controls network access by authenticating the devices connected to 802.1X-enabled LAN ports.
802.1X architecture
802.1X operates in the client/server model. It comprises three entities: client (the supplicant), network
access device (the authenticator), and the authentication server.
Figure 23 802.1X architecture

 The client is a user terminal seeking access to the LAN. It must have 802.1X software to authenticate
to the network access device.
 The network access device authenticates the client to control access to the LAN. In a typical 802.1X
environment, the network access device uses an authentication server to perform authentication.
 The authentication server is the entity that provides authentication services for the network access
device. It authenticates 802.1X clients by using the data sent from the network access device, and
returns the authentication results for the network access device to make access decisions. The
authentication server is typically a Remote Authentication Dial-in User Service (RADIUS) server. In a
small LAN, you can also use the network access device as the authentication server.
Controlled/uncontrolled port and pot authorization
status
802.1X defines two logical ports for the network access port: controlled port and uncontrolled port. Any
packet arriving at the network access port is visible to both logical ports.
 The controlled port allows incoming and outgoing traffic to pass through when it is in the authorized
state, and denies incoming and outgoing traffic when it is in the unauthorized state, as shown in
Figure 24. The controlled port is set in the authorized state if the client has passed authentication,
and in the unauthorized state, if the client has failed authentication.
 The uncontrolled port is always open to receive and transmit EAPOL frames. ServerClientDevice
EAPOLRADIUS

Add page 74 to Favourites

image text

Enable zoom

							 
64 
Figure 24 Authorization state of a controlled port 
 
 
In the unauthorized state, a controlled port controls traffic in one of the following ways: 
 Performs bidirectional traffic control to deny traffic to and from the client. 
 Performs unidirectional traffic control to deny traffic from the client.  
 NOTE: 
The HP switches support only unidirectional traffic control.  
802.1X-related protocols 
802.1X  uses  the  Extensible  Authentication  Protocol  (EAP)  to  transport  authentication  information  for  the 
client,  the  network  access  device,  and  the  authentication  server.  EAP  is  an  authentication  framework  that 
uses  the  client/server  model.  It  supports  a  variety  of  authentication methods,  including  MD5-Challenge, 
EAP-Transport Layer Security (EAP-TLS), and Protected EAP (PEAP).  
802.1X  defines  EAP  over  LAN  (EAPOL)  for  passing  EAP  packets  between  the  client  and  the  network 
access  device  over  a  wired  or  wireless  LAN.  Between  the  network  access  device  and  the  authentication 
server, 802.1X delivers authentication information in one of the following methods:  
 Encapsulates  EAP  packets  in  RADIUS  by  using  EAP  over  RADIUS  (EAPOR),  as  described  in  ―EAP 
relay.‖ 
 Extracts  authentication  information  from  the  EAP  packets  and  encapsulates  the  information  in 
standard RADIUS packets, as described in ―EAP termination.‖ 
Packet format 
EAP packet format 
Figure 25 shows the EAP packet format.  Controlled portUncontrolled port
Authenticator system 1
LAN
Controlled portUncontrolled port
Authenticator system 2
LAN
Port unauthorizedPort authorized

Add page 75 to Favourites

image text

Enable zoom

65
Figure 25 EAP packet format

 Code: Type of the EAP packet. Options include Request (1), Response (2), Success (3), or Failure (4).
 Identifier: Used for matching Responses with Requests.
 Length: Length (in bytes) of the EAP packet, which is the sum of the Code, Identifier, Length, and
Data fields.
 Data: Content of the EAP packet. This field appears only in a Request or Response EAP packet. The
field comprises the request type (or the response type) and the type data. Type 1 (Identify) and type
4 (MD5-challenge) are two examples for the type field.
EAPOL packet format
Figure 26 shows the EAPOL packet format.
Figure 26 EAPOL packet format

 PAE Ethernet type: Protocol type. It takes the value 0x888E for EAPOL.
 Protocol version: The EAPOL protocol version used by the EAPOL packet sender.
 Type: Type of the EAPOL packet. Table 5 lists the types of EAPOL packets that the HP implementation
of 802.1X supports.
Table 5 Types of EAPOL packets
Value Type Description
0x00 EAP-Packet The client and the network access device uses EAP-
Packets to transport authentication information.
0x01 EAPOL-Start The client sends an EAPOL-Start message to initiate
802.1X authentication to the network access device.
0x02 EAPOL-Logoff The client sends an EAPOL-Logoff message to tell the
network access device that it is logging off.

 Length: Data length in bytes, or length of the Packet body. If packet type is EAPOL-Start or EAPOL-
Logoff, this field is set to 0, and no Packet body field follows. 015
Code
Data
Length
7
Identifier2
4
N 015
PAE Ethernet type
Packet body
TypeProtocol version
Length
7
2
4
6
N

Add page 76 to Favourites

image text

Enable zoom

66
 Packet body: Content of the packet. When the EAPOL packet type is EAP-Packet, the Packet body
field contains an EAP packet.
EAP over RADIUS
RADIUS adds two attributes, EAP-Message and Message-Authenticator, for supporting EAP
authentication. For the RADIUS packet format, see the chapter ―AAA configuration.‖
EAP-Message
RADIUS encapsulates EAP packets in the EAP-Message attribute, as shown in Figure 27. The Type field
takes 79, and the Value field can be up to 253 bytes. If an EAP packet is longer than 253 bytes, RADIUS
encapsulates it in multiple EAP-Message attributes.
Figure 27 EAP-Message attribute format

Message-Authenticator
RADIUS includes the Message-Authenticator attribute in all packets that have an EAP-Message attribute to
check their integrity. The packet receiver drops the packet if the calculated packet integrity checksum is
different than the Message-Authenticator attribute value. The Message-Authenticator prevents EAP
authentication packets from being tampered with during EAP authentication.
Figure 28 Message-Authenticator attribute format

Initiating 802.1X authentication
Both the 802.1X client and the access device can initiate 802.1X authentication.
802.1X client as the initiator
The client sends an EAPOL-Start packet to the access device to initiate 802.1X authentication. The
destination MAC address of the packet can be the IEEE 802.1X specified multicast address 01-80-C2-00-
00-03 or the broadcast MAC address. If any intermediate device between the client and the
authentication server does not support this multicast address, you must use an 802.1X client, the iNode
802.1X client for example, that can send broadcast EAPOL_Start packets.
Access device as the initiator
The access device initiates authentication, if a client, the 802.1X client available with Windows XP for
example, cannot send EAPOL-Start packets.
The access device supports the following modes: 015
TypeString
7
Length
N
EAP packets 02
TypeString
1
Length
18 bytes

Add page 77 to Favourites

image text

Enable zoom

67
 Multicast trigger mode—The access device multicasts EAP-Request/Identify packets periodically
(every 30 seconds by default) to initiate 802.1X authentication.
 Unicast trigger mode—Upon receiving a frame with the source MAC address not in the MAC
address table, the access device sends an EAP-Request/Identify packet out of the receiving port to
the unknown MAC address. It retransmits the packet if no response has been received within a
configured time interval.
802.1X authentication procedures
802.1X authentication has two approaches: EAP relay and EAP termination. You choose either mode
depending on the support of the RADIUS server for EAP packets and EAP authentication methods.
EAP relay is defined in IEEE 802.1X. In this mode, the network device uses EAPoR packets to send
authentication information to the RADIUS server, as shown in Figure 29.
Figure 29 EAP relay

In EAP termination mode, the network access device terminates the EAP packets received from the client,
encapsulates the client authentication information in standard RADIUS packets, and uses (Password
Authentication Protocol) PAP or (Password Authentication Protocol) CHAP to authenticate to the RADIUS
server, as shown in Figure 30.
Figure 30 EAP termination

A comparison of EAP relay and EAP termination
Packet exchange method Benefits Limitations
EAP relay
 Supports various EAP
authentication methods.
 The configuration and processing
is simple on the network access
device
The RADIUS server must support
the EAP-Message and Message-
Authenticator attributes, and the
EAP authentication method used by
the client. RADIUS serverClientDevice
EAP packets over LANEAP packets over RADIUS
EAP authentication RADIUS serverClientDevice
EAP packets over LANRADIUS
EAP authentication PAP/CHAP authentication

Add page 78 to Favourites

image text

Enable zoom

							 
68 
Packet exchange method Benefits Limitations 
EAP termination Works with any RADIUS server that 
supports PAP or CHAP authentication. 
 Supports only MD5-Challenge 
EAP authentication and the 
username + password EAP 
authentication initiated by an 
iNode 802.1X client. 
 The processing is complex on 
the network access device.  
 
EAP relay 
Figure  31 shows  the basic  802.1X  authentication  procedure  in  EAP  relay  mode,  assuming  that EAP-MD5 
is used. 
Figure 31 802.1X authentication procedure in EAP relay mode 
 
 
1. When a user launches the 802.1X client software and enters a registered username and password, 
the 802.1X client software sends an EAPOL-Start packet to the network access device.  
2. The network access device responds with an Identity EAP-Request packet to ask for the client 
username.  EAPOLEAPOR
(1) EAPOL-Start
(2) EAP-Request/Identity
(3) EAP-Response/Identity
(6) EAP-Request/MD5 challenge
(10) EAP-Success
(7) EAP-Response/MD5 challenge
(4) RADIUS Access-Request(EAP-Response/Identity)
(5) RADIUS Access-Challenge(EAP-Request/MD5 challenge)
(9) RADIUS Access-Accept(EAP-Success)
(8) RADIUS Access-Request(EAP-Response/MD5 challenge)
(11) EAP-Request/Identity
(12) EAP-Response/Identity
(13) EAPOL-Logoff
...
ClientDeviceAuthentication server
Port authorized
Port unauthorized(14) EAP-Failure

Add page 79 to Favourites

image text

Enable zoom

69
3. In response to the Identity EAP-Request packet, the client sends the username in an Identity EAP-
Response packet to the network access device.
4. The network access device relays the Identity EAP-Response packet in a RADIUS Access-Request
packet to the authentication server.
5. The authentication server uses the identity information in the RADIUS Access-Request to search its
user database. If a matching entry is found, the server uses a randomly generated challenge (EAP-
Request/MD5 challenge) to encrypt the password in the entry, and sends the challenge in a
RADIUS Access-Challenge packet to the network access device.
6. The network access device relays the EAP-Request/MD5 Challenge packet in a RADIUS Access-
Request packet to the client.
7. The client uses the received challenge to encrypt the password, and sends the encrypted password
in an EAP-Response/MD5 Challenge packet to the network access device.
8. The network access device relays the EAP-Response/MD5 Challenge packet in a RADIUS Access-
Request packet to the authentication server.
9. The authentication server compares the received encrypted password with the one it generated at
step 5. If the two are identical, the authentication server considers the client valid and sends a
RADIUS Access-Accept packet to the network access device.
10. Upon receiving the RADIUS Access-Accept packet, the network access device sends an EAP-
Success packet to the client, and sets the controlled port in the authorized state so the client can
access the network.
11. After the client comes online, the network access device periodically sends handshake requests to
check whether the client is still online. By default, if two consecutive handshake attempts fail, the
device logs off the client.
12. Upon receiving a handshake request, the client returns a response. If the client fails to return a
response after a certain number of consecutive handshake attempts (two by default), the network
access device logs off the client. This handshake mechanism enables timely release of the network
resources used by 802.1X users that have abnormally gone offline.
13. The client can also send an EAPOL-Logoff packet to ask the network access device for a logoff.
14. In response to the EAPOL-Logoff packet, the network access device changes the status of the
controlled port from authorized to unauthorized and sends an EAP-Failure packet to the client.
NOTE:
In EAP relay mode, the client must use the same authentication method as the RADIUS server. On the
network access device, you only need to execute the dot1x authentication-method eap command to
enable EAP relay.
EAP termination
Figure 32 shows the basic 802.1X authentication procedure in EAP termination mode, assuming that
CHAP authentication is used.

Add page 80 to Favourites

image text

Enable zoom

							 
70 
Figure 32 802.1X authentication procedure in EAP termination mode 
 
 
In EAP termination mode,  it  is  the network  access  device rather  than  the  authentication  server generates 
an MD5 challenge for password encryption (see Step 4). The network access device then sends the MD5 
challenge together  with  the  username  and encrypted password in  a  standard  RADIUS  packet to  the 
RADIUS server.  
  EAPOLRADIUS
(1) EAPOL-Start
(2) EAP-Request / Identity
(3) EAP-Response / Identity
(4) EAP-Request / MD5 challenge
(8) EAP-Success
(5) EAP-Response / MD5 challenge
(9) EAP-Request/Identity
(10) EAP-Response/Identity
(11) EAPOL-Logoff
...
ClientDeviceAuthentication server
Port authorized
Port unauthorized
(6) RADIUS Access-Request(CHAP-Response/MD5 challenge)
(7) RADIUS Access-Accept(CHAP-Success)
(14) EAP-Failure

All HP manuals Comments (0)