HP A 5120 Manual

Download as PDF Print this page Share this page

Have a look at the manual HP A 5120 Manual online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 1114 HP manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

292

293

294

295

296

297

298

299

300

301

302

303

304

View all the pages

Add page 81 to Favourites

image text

Enable zoom

71
802.1X configuration
This chapter describes how to configure 802.1X on an HP device. You can also configure the port security
feature to perform 802.1X. Port security combines and extends 802.1X and MAC authentication. It applies
to a network, for example, that requires different authentication methods for different users on a port. Port
security is beyond the scope of this chapter. It is described in the chapter ―Port security configuration.‖
HP implementation of 802.1X
Access control methods
HP implements port-based access control as defined in the 802.1X protocol, and extends the protocol to
support MAC-based access control.
 With port-based access control, once an 802.1X user passes authentication on a port, any
subsequent user can access the network through the port without authentication. When the
authenticated user logs off, all other users are logged off.
 With MAC-based access control, each user is separately authenticated on a port. When a user logs
off, no other online users are affected.
For more information about the fundamentals of 802.1X, see the chapter ―802.1X fundamentals.‖
Using 802.1X authentication with other features
VLAN assignment
You can configure the authentication server to assign a VLAN for an 802.1X user that has passed
authentication. The way that the network access device handles VLANs on an 802.1X-enabled port differs
by 802.1X access control mode.
Access control VLAN manipulation
Port-based
Assigns the VLAN to the port as the default VLAN. All subsequent 802.1X users
can access the default VLAN without authentication.
When the user logs off, the previous default VLAN restores, and all other
online users are logged off.

Add page 82 to Favourites

image text

Enable zoom

72
Access control VLAN manipulation
MAC-based
 If the port is a hybrid port with MAC-based VLAN enabled, maps the MAC
address of each user to the VLAN assigned by the authentication server. The
default VLAN of the port does not change. When a user logs off, the MAC-
to-VLAN mapping for the user is removed.
 Assigns the VLAN of the first authenticated user to the port as the default
VLAN. If a different VLAN is assigned for a subsequent user, the user
cannot pass the authentication.
IMPORTANT:
 With 802.1X authentication, a hybrid port is always assigned to a VLAN as an untagged member. After
the assignment, do not re-configure the port as a tagged member in the VLAN.
 On a periodic online user re-authentication enabled port, if a user has been online before you enable the
MAC-based VLAN function, the access device does not create a MAC-to-VLAN mapping for the user
unless the user passes re-authentication and the VLAN for the user has changed.
 For more information about VLAN configuration and MAC-based VLAN, see the Layer 2—LAN Switching
Configuration Guide.

Guest VLAN
You can configure a guest VLAN to accommodate users that have not performed 802.1X authentication
on a port, so they can access a limited set of network resources, such as a software server, to download
anti-virus software and system patches. After a user in the guest VLAN passes 802.1X authentication, it is
removed from the guest VLAN and can access authorized network resources. The way that the network
access device handles VLANs on the port differs by 802.1X access control mode.
1. On a port that performs port-based access control
Authentication status VLAN manipulation
No 802.1X user has
performed authentication or
passed authentication within
90 seconds after 802.1X is
enabled
Assigns the 802.1X guest VLAN to the port as the default VLAN. All
802.1X users on this port can access only resources in the guest VLAN.
If no 802.1X guest VLAN is configured, the access device does not perform
any VLAN operation.
A user in the 802.1X guest
VLAN fails 802.1X
authentication
If an 802.1X Auth-Fail VLAN (see ―Auth-Fail VLAN‖) is available, assigns
the Auth-Fail VLAN to the port as the default VLAN. All users on this port
can access only resources in the Auth-Fail VLAN.
If no Auth-Fail VLAN is configured, the default VLAN on the port is still the
802.1X guest VLAN. All users on the port are in the guest VLAN.
A user in the 802.1X guest
VLAN passes 802.1X
authentication
 Assigns the VLAN specified for the user to the port as the default VLAN,
and removes the port from the 802.1X guest VLAN. After the user logs
off, the user configured default VLAN restores.
 If the authentication server assigns no VLAN, the user configured default
VLAN applies. The user and all subsequent 802.1X users are assigned to
the user-configured default VLAN. After the user logs off, the default
VLAN remains unchanged.

2. On a port that performs MAC-based access control

Add page 83 to Favourites

image text

Enable zoom

73
Authentication status VLAN manipulation
A user has not passed
802.1X authentication yet
Creates a mapping between the MAC address of the user and the 802.1X
guest VLAN. The user can access resources in the guest VLAN.
A user in the 802.1X guest
VLAN fails 802.1X
authentication
If an 802.1X Auth-Fail VLAN is available, re-maps the MAC address of the
user to the Auth-Fail VLAN. The user can access only resources in the Auth-
Fail VLAN.
If no 802.1X Auth-Fail VLAN is configured, the user is still in the 802.1X
guest VLAN.
A user in the 802.1X guest
VLAN passes 802.1X
authentication
Re-maps the MAC address of the user to the VLAN specified for the user.
If the authentication server assigns no VLAN, re-maps the MAC address of
the user to the initial default VLAN on the port.

NOTE:
 To use the 802.1X guest VLAN function on a port that performs MAC-based access control, ensure that the port
is a hybrid port, and enable MAC-based VLAN on the port.
 The network device assigns a hybrid port to an 802.1X guest VLAN as an untagged member.
 For more information about VLAN configuration and MAC-based VLAN, see the Layer 2—LAN Switching
Configuration Guide.
Auth-Fail VLAN
You can configure an Auth-Fail VLAN to accommodate users that have failed 802.1X authentication
because of the failure to comply with the organization security strategy, such as using a wrong password.
Users in the Auth-Fail VLAN can access a limited set of network resources, such as a software server, to
download anti-virus software and system patches.
The Auth-Fail VLAN does not accommodate 802.1X users that have failed authentication for
authentication timeouts or network connection problems. The way that the network access device handles
VLANs on the port differs by 802.1X access control mode.
1. On a port that performs port-based access control
Authentication status VLAN manipulation
A user fails 802.1X
authentication
Assigns the Auth-Fail VLAN to the port as the default VLAN. All 802.1X
users on this port can access only resources in the Auth-Fail VLAN.
A user in the Auth-Fail VLAN
fails 802.1X re-authentication
The Auth-Fail VLAN is still the default VLAN on the port, and all 802.1X
users on this port are in this VLAN.
A user passes 802.1X
authentication
 Assigns the VLAN specified for the user to the port as the default VLAN,
and removes the port from the Auth-Fail VLAN. After the user logs off, the
user-configured default VLAN restores.
 If the authentication server assigns no VLAN, the initial default VLAN
applies. The user and all subsequent 802.1X users are assigned to the
user-configured default VLAN. After the user logs off, the default VLAN
remains unchanged.

Add page 84 to Favourites

image text

Enable zoom

74
2. On a port that performs MAC-based access control
Authentication status VLAN manipulation
A user fails 802.1X
authentication
Re-maps the MAC address of the user to the Auth-Fail VLAN. The user can
access only resources in the Auth-Fail VLAN.
A user in the Auth-Fail VLAN
fails 802.1X re-authentication The user is still in the Auth-Fail VLAN.
A user in the Auth-Fail VLAN
passes 802.1X authentication
Re-maps the MAC address of the user to the server-assigned VLAN.
If the authentication server assigns no VLAN, re-maps the MAC address of
the user to the initial default VLAN on the port.

NOTE:
 To perform the 802.1X Auth-Fail VLAN function on a port that performs MAC-based access control, you must
ensure that the port is a hybrid port, and enable MAC-based VLAN on the port.
 The network device assigns a hybrid port to an 802.1X Auth-Fail VLAN as an untagged member.
 For more information about VLAN configuration and MAC-based VLAN, see the Layer 2—LAN Switching
Configuration Guide.
ACL assignment

You can specify an ACL for an 802.1X user to control its access to network resources. After the user
passes 802.1X authentication, the authentication server, either the local access device or a RADIUS
server, assigns the ACL to the port to filter the traffic from this user. In either case, you must configure the
ACL on the access device. You can change ACL rules while the user is online.
Configuring 802.1X
Configuration prerequisites
 Configure an ISP domain and AAA scheme (local or RADIUS authentication) for 802.1X users.
 If RADIUS authentication is used, create user accounts on the RADIUS server.
 If local authentication is used, create local user accounts on the access device and set the service
type to lan-access.
For more information about RADIUS client configuration, see the chapter ―AAA configuration.‖
802.1X configuration task list
Complete the following tasks to configure 802.1X:
Task Remarks
Enabling 802.1X Required
Specifying EAP relay or EAP termination Optional

Add page 85 to Favourites

image text

Enable zoom

							 
75 
Task Remarks 
Setting the port authorization state Optional 
Specifying an access control method Optional 
Setting the maximum number of concurrent 802.1X users on a port Optional 
Setting the maximum number of authentication request attempts Optional 
Setting the 802.1X authentication timeout timers Optional 
Configuring the online user handshake function Optional 
Configuring the authentication trigger function Optional 
Specifying a mandatory authentication domain on a port Optional 
Enabling the quiet timer Optional 
Enabling the periodic online user re-authentication function Optional 
Configuring an 802.1X guest VLAN Optional 
Configuring an Auth-Fail VLAN Optional 
 
Enabling 802.1X  
 NOTE: 
 If the default VLAN of a port is a voice VLAN, the 802.1X function cannot take effect on the port. For more 
information about voice VLANs, see the Layer 2—LAN Switching Configuration Guide.  
 802.1X is mutually exclusive with link aggregation group configuration on a port.  
Follow these steps to enable 802.1X on a port: 
To do… Use the command… Remarks 
Enter system view system-view — 
Enable 802.1X globally dot1x Required 
Disabled by default. 
Enable 802.1X 
on a port 
In system view dot1x interface interface-list Required 
Use either approach. 
Disabled by default. 
In Layer 2 
Ethernet 
interface view 
interface interface-type interface-number  
dot1x 
 
Specifying EAP relay or EAP termination 
When configuring EAP relay or EAP termination, consider the following factors: 
 The support of the RADIUS server for EAP packets 
 The authentication methods supported by the 802.1X client and the RADIUS server 
If  the  client is  using only  MD5-Challenge EAP  authentication or the  username  +  password  EAP 
authentication  initiated  by  an  iNode  802.1X  client,  you  can  use  both  EAP  termination  and  EAP  relay.  To

Add page 86 to Favourites

image text

Enable zoom

76
use EAP-TL, PEAP, or any other EAP authentication methods, you must use EAP relay. When you make
your decision, see A comparison of EAP relay and EAP termination for help.
For more information about EAP relay and EAP termination, see 802.1X authentication procedures.
Follow these steps to configure EAP relay or EAP termination:
To do… Use the command… Remarks
Enter system view system-view —
Configure EAP relay or EAP
termination
dot1x authentication-method {
chap | eap | pap }
Optional
By default, the network access
device performs EAP termination
and uses CHAP to communicate
with the RADIUS server.
Specify the eap keyword to
enable EAP termination.
Specify the chap or pap keyword
to enable CHAP-enabled or PAP-
enabled EAP relay.

NOTE:
If EAP relay mode is used, the user-name-format command configured in RADIUS scheme view does
not take effect. The access device sends the authentication data from the client to the server without any
modification. For more information about the user-name-format command, see the Security Command
Reference.
Setting the port authorization state
The port authorization state determines whether the client is granted access to the network. You can
control the authorization state of a port by using the dot1x port-control command and the following
keywords:
 authorized-force—Places the port in the authorized state, enabling users on the port to access the
network without authentication.
 unauthorized-force—Places the port in the unauthorized state, denying any access requests from
users on the port.
 auto—Places the port initially in the unauthorized state to allow only EAPOL packets to pass, and
after a user passes authentication, sets the port in the authorized state to allow access to the
network. You can use this option in most scenarios.
You can set authorization state for one port in interface view, or for multiple ports in system view. If
different authorization state is set for a port in system view and interface view, the one set later takes
effect.
Follow these steps to set the authorization state of a port:
To do… Use the command… Remarks
Enter system view system-view —

Add page 87 to Favourites

image text

Enable zoom

							 
77 
To do… Use the command… Remarks 
Set the port 
authorization 
state 
In system view 
dot1x port-control { authorized-force | 
auto | unauthorized-force } [ interface 
interface-list ] Optional 
Use either approach. 
By default, auto applies. In Layer 2 
Ethernet 
interface view 
interface interface-type interface-number 
dot1x port-control { authorized-force | 
auto | unauthorized-force } 
 
Specifying an access control method 
You  can specify an access  control  method for  one  port  in  interface  view, or  for  multiple  ports in system 
view. If different  access  control  methods  are  specified  for  a  port  in  system  view  and  interface  view,  the 
one specified later takes effect. 
Follow these steps to specify the access control method: 
To do… Use the command… Remarks 
Enter system view system-view — 
Specify an 
access control 
method 
In system view dot1x port-method { macbased | 
portbased } [ interface interface-list ] Optional 
Use either approach. 
By default, MAC-based 
access control applies. 
In Layer 2 
Ethernet 
interface view 
interface interface-type interface-
number 
dot1x port-method { macbased | 
portbased } 
 
 NOTE: 
To use both 802.1X and portal authentication on a port, you must specify MAC-based access control. 
For more information about portal authentication, see the chapter “Portal configuration.”  
Setting the maximum number of concurrent 802.1X users on a 
port 
You can set the maximum number of concurrent 802.1X users for ports individually in interface view or in 
bulk in system view. If different settings are configured for a port in both views, the setting configured later 
takes effect. 
Follow these steps to set the maximum number of concurrent 802.1X users on a port: 
To do… Use the command… Remarks 
Enter system view system-view — 
Set the 
maximum 
number of 
concurrent 
802.1X users 
on a port 
In system view dot1x max-user user-number [ 
interface interface-list ] Optional 
Use either approach. 
By default, the maximum number 
concurrent 802.1X users is 256. 
In Layer 2 
Ethernet 
interface view 
interface interface-type interface-
number 
dot1x max-user user-number [ 
interface interface-list ]

Add page 88 to Favourites

image text

Enable zoom

							 
78 
 
Setting the maximum number of authentication request attempts 
The network access device retransmits an authentication request if it receives no response to the request it 
has  sent  to  the  client within a  period  of  time  (specified by using the dot1x timer tx-period tx-period-value 
command  or  the dot1x  timer supp-timeout supp-timeout-value command).  The  network  access  device 
stops  retransmitting  the request,  if  it  has  made  the  maximum  number  of  request  transmission  attempts  but 
still received no response.  
Follow these steps to set the maximum number of authentication request attempts: 
To do… Use the command… Remarks 
Enter system view system-view — 
Set the maximum number of 
attempts for sending an 
authentication request 
dot1x retry max-retry-value Optional 
2 by default 
 
Setting the 802.1X authentication timeout timers 
The network device uses the following 802.1X authentication timeout timers: 
 Client timeout  timer—Starts  when  the  access  device sends  an EAP-Request/MD5 Challenge packet 
to  a client.  If  no  response is  received  when this  timer  expires, the  access  device retransmits  the 
request to the client. 
 Server  timeout  timer—Starts  when  the  access device sends  a RADIUS  Access-Request packet to  the 
authentication  server.  If  no  response is  received  when  this  timer  expires, the  access  device 
retransmits the request to the server. 
You  can  set  the  client timeout  timer to a  high value  in  a  low-performance  network, and  adjust  the  server 
timeout  timer to adapt  to the  performance  of different  authentication  servers.  In  most  cases,  the  default 
settings are sufficient.  
Follow these steps to set the 802.1X timers: 
To do… Use the command… Remarks 
Enter system view system-view — 
Set the client timeout timer dot1x timer supp-timeout supp-
timeout-value 
Optional 
The default is 30 seconds.  
Set the server timeout 
timer 
dot1x timer server-timeout server-
timeout-value 
Optional 
The default is 100 seconds.  
 
Configuring the online user handshake function 
About the online user handshake function 
The  online  user  handshake  function  checks  the  connectivity  status  of  online  802.1X  users.  The  network 
access  device  sends  handshake  messages  to  online  users  at  the  interval  specified  by  the dot1x  timer 
handshake-period command. If no response is received from an online user after the maximum number of 
handshake attempts (set by the dot1x retry command) has been made, the network access device sets the 
user in the offline state.

Add page 89 to Favourites

image text

Enable zoom

							 
79 
If  iNode  clients  are  deployed,  you  can  also  enable  the  online  handshake  security  function  to  check  for 
802.1X  users  that  use illegal  client  software  to bypass  security  inspection such  as  proxy  detection  and 
dual network interface cards (NICs) detection. This function checks the authentication information in client 
handshake messages. If a user fails the authentication, the network access device logs the user off.  
Configuration guidelines 
Follow these guidelines when you configure the online user handshake function: 
 To use the online  handshake security function, make  sure the  online  user  handshake  function is 
enabled.  HP  recommends that you  use  the  iNode  client  software  and  iMC  server  to  ensure  the 
normal operation of the online user handshake security function. 
 If  the  network  has  802.1X  clients  that  cannot  exchange  handshake  packets  with  the  network  access 
device, disable  the  online  user  handshake  function  to  prevent  their  connections  from  being 
inappropriately torn down.  
Configuration procedure  
Follow these steps to configure the online user handshake function: 
To do… Use the command… Remarks 
Enter system view system-view — 
Set the handshake timer dot1x timer handshake-period 
handshake-period-value 
Optional 
The default is 15 seconds. 
Enter Layer 2 Ethernet interface 
view 
interface interface-type interface-
number — 
Enable the online handshake 
function dot1x handshake Optional 
Enabled by default 
Enable the online handshake 
security function dot1x handshake secure Optional 
Disabled by default 
 
 NOTE: 
 When 802.1X clients do not support exchanging handshake packets with the device, disable the online user 
handshake function on the device. If not, the device will tear down the connections with these online users for not 
receiving handshake responses. 
 HP recommends that you use the iNode client software and iMC server to ensure the normal operation of the 
online user handshake security function.  
Configuring the authentication trigger function 
About the authentication trigger function 
The  authentication  trigger  function  enables  the  network  access  device  to  initiate  802.1X authentication 
when 802.1X clients cannot initiate authentication.  
This function provides the following types of authentication trigger: 
 Multicast  trigger—Periodically  multicasts  Identity  EAP-Request  packets  out  of  a  port  to  detect  802.1X 
clients and trigger authentication. 
 Unicast trigger—Enables the network device to initiate 802.1X authentication when it receives a data 
frame from an  unknown source  MAC  address.  The  device sends  a  unicast Identity  EAP/Request 
packet  to the unknown  source  MAC  address,  and retransmits  the packet if it has  received  no

Add page 90 to Favourites

image text

Enable zoom

80
response within a period of time. This process continues until the maximum number of request
attempts set with the dot1x retry command (see ―Setting the maximum number of authentication
request attempts‖) is reached.
The identity request timeout timer sets both the identity request interval for the multicast trigger and the
identity request timeout interval for the unicast trigger.
Configuration guidelines
Follow these guidelines when you configure the authentication trigger function:
 Enable the multicast trigger on a port when the clients attached to the port cannot send EAPOL-Start
packets to initiate 802.1X authentication.
 Enable the unicast trigger on a port if only a few 802.1X clients are attached to the port and these
clients cannot initiate authentication.
 To avoid duplicate authentication packets, do not enable both triggers on a port.
Configuration procedure
Follow these steps to configure the authentication trigger function on a port:
To do… Use the command… Remarks
Enter system view system-view —
Set the username request timeout
timer
dot1x timer tx-period tx-period-
value
Optional
The default is 30 seconds.
Enter Layer 2 Ethernet interface
view
interface interface-type interface-
number —
Enable an authentication trigger
function
dot1x { multicast-trigger |
unicast-trigger }
Required if you want to enable
the unicast trigger.
By default, the multicast trigger is
enabled, and the unicast trigger is
disabled.

Specifying a mandatory authentication domain on a port
You can place all 802.1X users in a mandatory authentication domain for authentication, authorization,
and accounting on a port. No user can use an account in any other domain to access the network
through the port. The implementation of a mandatory authentication domain enhances the flexibility of
802.1X access control deployment.
Follow these steps to specify a mandatory authentication domain for a port:
To do… Use the command… Remarks
Enter system view system-view —
Enter Layer 2 Ethernet interface
view
interface interface-type interface-
number —
Specify a mandatory 802.1X
authentication domain on the port
dot1x mandatory-domain
domain-name
Required
Not specified by default

All HP manuals Comments (0)