Web-based and MAC authentication |
Configuring MAC authentication on the switch
Prerequisites for web-based or MAC authentication
Before you configure web-based/MAC authentication, follow these guidelines.
Configure a local user name and password on the switch for both the operator (login) and manager (enable) access levels. Hewlett Packard Enterprise recommends that you use a local user name and password pair to protect the switch configuration from unauthorized access.
Determine the switch ports that you want to configure as authenticators. Before you configure web-based or MAC authentication on a port operating in an LACP trunk, you must remove the port from the trunk.
To display the current configuration of 802.1X, web-based, and MAC authentication on all switch ports, enter the
show port-access configcommand, as shown in the following example.# show port-access config Port Access Status Summary Port-access authenticator activated [No] : No Allow RADIUS-assigned dynamic (GVRP) VLANs [No] : No Port 802.1X 802.1X Web Mac LMA Ctrl Mixed Speed Port Supp Auth Auth Auth Auth Dir Mode VSA MBV --- ------ ------ ---- ---- ---- ----- ----- ----- -------- C1 No Yes No No No In No Yes Yes C2 No Yes No No No Both Yes Yes Yes C3 No Yes No No No Both No No Yes C4 No Yes No No Yes Both No Yes YesDetermine whether any VLAN assignments are needed for authenticated clients.
If you configure the RADIUS server to assign a VLAN for an authenticated client, this assignment overrides any VLAN assignments configured on the switch while the authenticated client session remains active. The VLAN must be statically configured on the switch.
If there is no RADIUS-assigned VLAN, the port can join an “Authorized VLAN” for the duration of the client session. This must be a port-based, statically configured VLAN on the switch.
If there is neither a RADIUS-assigned VLAN or an “authorized VLAN” for an authenticated client session on a port, the port’s VLAN membership remains unchanged during authenticated client sessions. Configure the port for the VLAN in which you want it to operate during client sessions.
![[NOTE: ]](images/note.gif)
NOTE: When configuring a RADIUS server to assign a VLAN, you can use either the VLAN’s name or VID. For example, if a VLAN configured in the switch has a VID of 100 and is named vlan100, you could configure the RADIUS server to use either “100” or “vlan100” to specify the VLAN.
For clients that the RADIUS server does not authenticate, determine whether to use the optional “unauthorized VLAN” mode. This VLAN must be statically configured on the switch. If you do not configure an “unauthorized VLAN”, the switch simply blocks access to unauthenticated clients trying to use the port.
Determine the authentication policy you want on the RADIUS server and configure the server. Based on your switches RADIUS application information, include the following in the policy for each client or client device:
The CHAP-RADIUS authentication method.
An encryption key.
One of the following:
Include the user name and password for each authorized client if you are configuring web-based authentication.
Enter the device MAC address in both the user name and password fields of the RADIUS policy configuration for that device if you are configuring MAC authentication. To allow a particular device to receive authentication only through a designated port and switch, include this in your policy.
Determine the IP address of the RADIUS servers you choose to support web-based or MAC authentication.
Preparation for configuring MAC authentication
Before you configure MAC authentication
Configure a local user name and password on the switch.
Ensure that the VLANs are configured on the switch and that the appropriate port assignments have been made if you plan to use multiple VLANs with MAC authentication.
Ping the switch console interface to ensure that the switch is able to communicate with the RADIUS server you are configuring to support MAC authentication.
Configure the switch with the correct IP address and encryption key to access the RADIUS server.
Configure the switch for MAC authentication with the ports you will be using.
Test both the authorized and unauthorized access to your system to ensure that MAC authentication works properly on the ports you have chosen to configure for port-access.
Configuring a global MAC authentication password
MAC authentication requires that only a single entry containing the user name and password is placed in the user database with the device's MAC address. This creates an opportunity for malicious device spoofing. The global password option configures a common MAC authentication password to use for all MAC authentications sent to the RADIUS server. This makes spoofing more difficult.
It is important that when implementing the global MAC authentication password option, that the user database on the RADIUS server has this password as the password for each device performing MAC authentication.
Commands to configure the global MAC authentication password
To configure the global MAC authentication password:
Syntax
[no] aaa port-access mac-based password<password-value>Specifies the global password to be used by all MAC authenticating devices.
The
[no]form of the command disables the feature.For the 3800, 5400zl, and 8200zl switches, when the switch is in enhanced secure mode, commands that take a password as a parameter have the echo of the password typing replaced with asterisks. The input for the password is prompted for interactively. See Secure Mode (3800, 3810, 5400zl, and 8200zl Switches).
| NOTE: The password value is listed in an exported config
file when |
Configuring a MAC address format
Syntax
aaa port-access mac-based addr-format < no-delimiter | single-dash | multi-dash | multi-colon | no-delimiter-uppercase | single-dash-uppercase | multi-dash-uppercase | multi-colon-uppercase >Specifies the MAC address format used in the RADIUS request message. This format must match the format used to store the MAC addresses in the RADIUS server.
Default:
no-delimiter
no-delimiter: specifies an aabbccddeeff format.
single-dash: specifies an aabbcc-ddeeff format.
multi-dash: specifies an aa-bb-cc-dd-ee-ff format.
multi-colon: specifies an aa:bb:cc:dd:ee:ff format.
no-delimiter-uppercase: specifies an AABBCCDDEEFF format.
single-dash-uppercase: specifies an AABBCC-DDEEFF format
multi-dash-uppercase: specifies an AA-BB-CC-DD-EE-FF format
multi-colon-uppercase: specifies an AA:BB:CC:DD:EE:FF format.
Specifying the maximum authenticated MACs allowed on a port
Syntax
aaa port-access mac-based [e]<port-list>[addr-limit<1-256>]Specifies the maximum number of authenticated MACs to allow on the port.
Default:
1
NOTE: On switches where MAC authenticated and 802.1X operate concurrently, this limit includes the total number of clients authenticated through both methods.
The limit of 256 clients only applies when there are fewer than 16,384 authentication clients on the entire switch. After the limit of 16, 384 clients is reached, no additional authentication clients are allowed on any port for any method.
Allowing addresses to move without re-authentication
Syntax
[no] aaa port-access mac-based [e]<port-list>[addr-moves]Allows client moves between the specified ports under MAC authenticated control. When enabled, the switch allows addresses to move without requiring a re-authentication.
When disabled, the switch does not allow moves and when one occurs, the user is forced to re-authenticate. At least two ports (from ports and to ports) must be specified.
Use the
noform of the command to disable MAC address moves between ports under MAC authenticated control.Default: Disabled — no moves allowed
Specifying the VLAN for an authorized client
Syntax
aaa port-access mac-based [e]<port-list>[ auth-vid<vid>]no aaa port-access mac-based [e]<port-list>[ auth-vid ]Specifies the VLAN to use for an authorized client. The RADIUS server can override the value (accept response includes avid).
If
auth-vidis0, no VLAN changes occur unless the RADIUS server supplies one.Use the
noform of the command to set theauth-vidto0.Default:
0
Specifying the time period enforced for implicit logoff
Syntax
[no] aaa port-access mac-based [e]<port-list>[ logoff-period<60-9999999>]Specifies the period, in seconds, that the switch enforces for an implicit logoff. This parameter is equivalent to the MAC age interval in a traditional switch sense. If the switch does not see activity after a logoff-period interval, the client is returned to its pre-authentication state.
Default:
300 seconds
Specifying how long the switch waits before processing a request from a MAC address that failed authentication
Syntax
Specifying time period enforced on a client to re-authenticate
Syntax
[no] aaa port-access mac-based [e]<port-list>[ reauth-period<0-9999999>]Specifies the time period (in seconds) that the switch enforces on a client to re-authenticate. The client remains authenticated while the re-authentication occurs.
When set to
0, re-authentication is disabled.Default: 300 seconds
Specifying the period to wait for a server response to an authentication request
Syntax
[no] aaa port-access mac-based [e]<port-list>[ server-timeout<1-300>]Specifies the period, in seconds, the switch waits for a server response to an authentication request. Depending on the current
max-requestsvalue, the switch sends a new attempt or ends the authentication session.Default: 30 seconds
Specifying the VLAN to use when authentication fails
Syntax
[no] aaa port-access mac-based [e]<port-list>[ unauth-vid<vid>][no] aaa port-access mac-based [e]<port-list>[ unauth-vid ]Specifies the VLAN to use for a client that fails authentication. If
unauth-vidis0, no VLAN changes occur. Use thenoform of the command to set theunauth-vidto0.Default: 0
Configuring custom messages for failed logins
This feature allows administrators to configure custom messages that are displayed when authentication with the RADIUS server fails. The messages are appended to existing internal web pages that display during the authentication process. Messages can be configured using the CLI, or centrally using the RADIUS server, and can provide a description of the reason for a failure as well as possible steps to take to resolve the authentication issue. There is no change to the current web-based authentication functionality.
Syntax
[no] aaa port-access web-based access-denied-message <<access-denied-str> | radius-response >
Specifies the text message (ASCII string) shown on the web page after an unsuccessful login attempt. The message must be enclosed in quotes.
The
[no]form of the command means that no message is displayed upon failure to authenticate.Default: The internal web page is used. No message appears upon authentication failure.
access-denied-str
The text message that is appended to the end of the web page when there is an unsuccessful authentication request. The string can be up to 250 ASCII characters.
radius-response
Use the text message provided in the RADIUS server response to the authentication request.
Unauthenticated clients can be assigned to a specific static, untagged VLAN (unauth-vid), to provide access to specific (guest) network resources. If no VLAN is assigned to unauthenticated clients, the port is blocked and no network access is available.
web page display of access denied message
The following figure shows an example of the
denied access message that appears when unauth-vod is
configured.
The show running-config command
displays the client’s information, including the configured access
denied message.
Redirecting HTTP when MAC address not found
When a client’s MAC address is checked by the RADIUS server against the known list of MAC addresses, and the MAC address is not found, the client needs a way to quickly become registered through a web registration process. The HTTP Redirect feature provides a way for a client who has failed MAC authentication to become registered through a web/registration server. Only a web browser is required for this authentication process.
| NOTE: The HTTP redirect feature cannot be enabled if web-based authentication is enabled on any port, and conversely, if HTTP redirect is enabled, web-based authentication cannot be enabled on any port. The web/registration server software is not included with this feature. |
How HTTP redirect works
The unauth-redirect option
must be configured with the registration server’s URL as a parameter
before HTTP redirect operations can begin. The full URL must be used.
Syntax
[no] aaa port-access mac-based unauth-redirect
Configure the HTTP redirect registration server feature.
<redirect-URL-str>
Enables the HTTP redirect registration server feature by configuring the URL of the registration page. An entry can have either an IP address or a DNS name. Only one server can be configured.
NOTE: The entire URL must be used, including the “http://” or “https://” portion.
[restrictive-filter]
Enables the redirect server to only return a Warning or Information page.
[timeout <seconds>]
The time (in seconds) before a client in an unauthorized redirection state is removed from the state tables.
Range: <30-10800>seconds
Default: 1800 seconds
![[CAUTION: ]](images/caution.gif) | CAUTION: Rogue clients can attempt to access any web pages on the web/registration server via interface ports configured for MAC authentication. |
Operating Notes for HTTP Redirect
If the configured URL contains a domain name (as opposed to an IP address) the switch’s DNS resolver must be configured:
switch(config)# ip dns server-address priority 1 <ipv4=address>
The NAT does an IP route lookup before it sends the packet to the destination registration server. A VLAN must have been configured that allows the switch to access the registration server.
The initial page, redirect server, and filter path configuration is per-switch.
Registering HTTP redirect
Following are the steps involved in HTTP registration.
When the redirect feature is enabled, a client that fails MAC authentication is moved into the unauthorized MAC authentication redirection state.
A client in the redirect state (having failed MAC authentication) with a web browser open sends a DHCP request. The switch responds with a DHCP lease for an address in the switch configurable DHCP address range. Additionally, the switch IP address becomes the client’s default gateway. All ARP/DNS requests are handled by the switch and all requests are directed to the switch. The switch replies to these requests with its own address.
The client requests a web page. The switch takes this request and responds to the client browser with an HTTP redirect to the configured URL. The client MAC address and interface port are appended as HTTP parameters.
Before returning the initial registration page to the client, the switch enables NAT so that all subsequent requests go to the web server directly. The initial HTML page is returned to the switch and then by proxy to the client.
After the registration process completes, the registration server updates the RADIUS server with the client’s user name, password, and profile.
The client remains in the redirect state until the client’s time exceeds the configured timeout or the switch receives an SNMP deauthentication request from the registration server.
The registration server sends an SNMP request to the switch with the MAC identification and interface port to reauthenticate or deauthenticate the client.
The switch moves the client out of the special web-based/MAC authentication redirect state and the client becomes unknown to the switch again. This sets the stage for a new MAC authentication cycle.
Using the restrictive-filter option
The restrictive-filter option allows the switch to reply to all HTTP requests to the switch IP address with an HTTP-redirect containing the URL of the registration server. It is used when there is no registration process and only a warning or informational page is displayed to the client.
If SSL is not configured, the switch verifies that the MAC address and interface port parameters are present. If SSL is enabled, the switch ensures that the HTTP request is to the registration server’s destination IP address.
The show command displays
the HTTP redirect configuration.
Reauthenticating a MAC Authenticated client
Using SNMP
The MIB variable hpicfUsrAuthMacAuthClientReauthenticateEntry in the hpicfUsrAuthMIB provides the capability to reauthenticate a specific MAC client on a port. The MAC address and port are required for SNMP reauthentication.
Using the CLI
To reauthenticate a client using the CLI, use this command:
switch(config)# aaa port-access mac-based <single-port> reauthenticate mac-addr<MAC address>
The keyword mac-addr specifies
single client reauthentication. If the reauthenticate parameter
is entered without the mac-addr keyword and MAC
address, the command is executed as port reauthentication — all clients
on a port are reauthenticated.