-
If you have not already done so, configure a local username and password pair on the switch.
-
Identify or create a redirect URL for use by authenticated clients. HP recommends that you provide a redirect URL when using web authentication. If a redirect URL is not specified, web browser behavior following authentication can not be acceptable.
-
If you plan to use multiple VLANs with web authentication, ensure that these VLANs are configured on the switch and that the appropriate port assignments have been made. Confirm that the VLAN used by authorized clients can access the redirect URL.
-
Ping the switch console interface to ensure that the switch can communicate with the RADIUS server you have configured to support web-based authentication on the switch.
-
Configure the switch with the correct IP address and encryption key to access the RADIUS server.
-
(Optional) To use SSL encryption for web-based authentication login, configure and enable SSL on the switch.
-
Enable web-based authentication on the switch ports you want to use.
-
Configure the optional settings that you want to use for web-based authentication; for example:
-
To avoid address conflicts in a secure network, configure the base IP address and mask to be used by the switch for temporary DHCP addresses. You can also set the lease length for these temporary IP addresses.
-
To use SSL encryption for web-based authentication login, configure the SSL option.
-
To redirect authorized clients to a specified URL, configure the Redirect URL option.
-
-
Configure how web-based authenticator ports transmit traffic before they successfully authenticate a client and enter the authenticated state:
-
You can block incoming and outgoing traffic on a port before authentication occurs.
-
You can block only incoming traffic on a port before authentication occurs. Outgoing traffic with unknown destination addresses is flooded on unauthenticated ports configured for web-based authentication. For example, Wake-on-LAN traffic is transmitted on a web-based Authenticated egress port that has not yet transitioned to the authenticated state.
-
-
Test both authorized and unauthorized access to your system to ensure that web authentication works properly on the ports you have configured for port-access using web authentication.
|
|
NOTE: Client web browsers can not use a proxy server to access the network. |
|
|
Syntax:
aaa port-access <
port-list
> [controlled-directions <both|in> mixed-mode|port-speed-vsa|mbv <enable|disable>]After you enable web-based-based authentication on specified ports, you can use the
aaa port-access controlled-directions
command to configure how a port transmits traffic before it successfully authenticates a client and enters the authenticated state.
both
: (Default) Incoming and outgoing traffic is blocked on a port configured for web-based authentication before authentication occurs.
in
: Incoming traffic is blocked on a port configured for web-based authentication before authentication occurs. Outgoing traffic with unknown destination addresses is flooded on unauthenticated ports configured for web-based authentication.
mixed-mode
: Set if unauthenticated and authenticated users are allowed on the same port.
port-speed-vsa
: Determines if the port speed HP VSA is allowed and used on a port.
mbv <enable|disable>
: Allows configuration of MBV (MAC-based VLANs) on a port. MBV allows multiple clients on different untagged VLANs to authenticate on the same port.
Prerequisites:
As implemented in 802.1X authentication, the disabling of incoming traffic and transmission of outgoing traffic on a web-based Authenticated egress port in an unauthenticated state (using the aaa port-access controlled-direction in
command) is supported only if the 802.1s Multiple Spanning Tree Protocol (MSTP) or 802.1w Rapid Spanning Tree Protocol (RSTP) is enabled on the switch. MSTP and RSTP improve resource utilization while maintaining a loop-free network.
The port is configured as an edge port in the network using the spanning-tree edge-port
command.
Notes:
-
For information on how to configure the prerequisites for using the
aaa port-access controlled-direction in
command, see “Multiple instance spanning-tree operation” in the Advanced Traffic Management Guide for your switch. -
To display the currently configured controlled direction value for web-based authenticated ports, enter the
show port-access web-based config
command. -
The
aaa port-access controlled-direction in
command allows Wake-on-LAN traffic to be transmitted on a web-based authenticated egress port that has not yet transitioned to the authenticated state; thecontrolled-direction both
setting prevents Wake-on-LAN traffic to be transmitted on a web-based authenticated egress port until authentication occurs.The Wake-on-LAN feature is used by network administrators to remotely power on a sleeping workstation (for example, during early morning hours to perform routine maintenance operations, such as patch management and software updates).
-
Using the
aaa port-access controlled-direction in
command, you can enable the transmission of Wake-on-LAN traffic on unauthenticated egress ports that are configured for any of the following port-based security features:-
802.1X authentication
-
MAC authentication
-
Web-based authentication
Because a port can be configured for more than one type of authentication to protect the switch from unauthorized access, the last setting you configure with the
aaa port-access controlled-direction
command is applied to all authentication methods configured on the switch.For information about how to configure and use 802.1X authentication, see Configuring Port and User-Based Access Control (802.1X).
-
-
When a web-based authenticated port is configured with the
controlled-direction in
setting, eavesdrop prevention is not supported on the port.
Syntax:
Syntax:
Specifies the maximum number of authenticated clients to allow on the port. (Default:
1
)
NOTE: On switches where Web-based authentication and 802.1X can operate concurrently, this limit includes the total number of clients authenticated through both methods. The limit of 256 clients only applies when there are fewer than 16,384 authentication clients on the entire switch. After the limit of 16,384 clients is reached, no additional authentication clients are allowed on any port for any method.
Syntax:
Specifies the period, in seconds, that the switch enforces for an implicit logoff. This parameter is equivalent to the MAC age interval in a traditional switch sense. If the switch does not see activity after a logoff-period interval, the client is returned to its pre-authentication state. (Default: 300 seconds)
Syntax:
Specifies the URL that a user is redirected to after a successful login. Any valid, fully-formed URL can be used, for example, http://welcome-server/welcome.htm or http://192.22.17.5. HP recommends that you provide a redirect URL when using web authentication.
NOTE: The
redirect-url
command accepts only the first 103 characters of the allowed 127 characters.
Use the
[no]
form of the command to remove a specified redirect URL.(Default: There is no default URL. Browser behavior for authenticated clients can not be acceptable.)
Syntax:
Displays the status of all ports or specified ports that are enabled for web-based authentication. The information displayed for each port includes:
Number of authorized and unauthorized clients.
VLAN ID number of the untagged VLAN used. If the switch supports MAC (untagged) VLANs,
MACbased
is displayed to show that multiple untagged VLANs are configured for authentication sessions.If tagged VLANs (statically configured or RADIUS-assigned) are used (
Yes
orNo
.)If client-specific per-port CoS (Class of Service) values are configured (
Yes
orNo
) or the numerical value of the CoS (802.1p priority) applied to all inbound traffic. For client-specific per-port CoS values, enter theshow port-access web-based clients detailed
command.If per-port rate-limiting for inbound traffic is applied (
Yes
orNo
) or the percentage value of the port's available bandwidth applied as a rate-limit value.If RADIUS-assigned ACLs are applied.
Information on ports not enabled for web authentication is not displayed.
Output for the show port-access web-based command
Switch (config)# show port-access web-based Port Access Web-Based Status Auth Unauth Untagged Tagged Port % In RADIUS Port Clients Clients VLAN VLANs COS Limit ACL ----- -------- -------- -------- ------ -------- ------ ------ 1 1 1 4006 Yes 70000000 100 Yes 2 2 0 MACbased No Yes Yes Yes 3 4 0 1 Yes No No No
Syntax:
Displays the session status, name, and address for each web-authenticated client on the switch. The IP address displayed is taken from the DHCP binding table (learned through the DHCP Snooping feature).
If DHCP snooping is not enabled on the switch, n/a (not available) is displayed for a client’s IP address.
If a web-authenticated client uses an IPv6 address, n/a - IPv6 is displayed.
If DHCP snooping is enabled but no MAC-to-IP address binding for a client is found in the DHCP binding table, n/a - no info is displayed.
Output for the show port-access web-based authentication clients command
HP Switch (config)# show port-access web-based clients Port Access Web-Based Client Status Port Client Name MAC Address IP Address Session Status ----- ------------ ------------- --------------- ------------- 1 webuser1 0010b5-891a9e 192.192.192.192 Authenticated 1 webuser2 001560-b3ea48 n/a - no info Authenticating 1 webuser3 000000-111111 n/a - IPv6 Authenticating 3 webuser4 000000-111112 n/a Authenticating
Syntax:
Displays detailed information on the status of web-based authenticated client sessions on specified switch ports.
For HP Switch 2620, 2910al, and 2920-series:
This syntax shows session status, name, and address for each web-based authenticated client on the switch. The IP address displayed is taken from the DHCP binding table, learned through DHCP snooping.The following can appear if the client's IP address is not available:
n/a
— DHCP snooping is not enabled on the switch;n/a
is displayed for a client's IP address.
n/a-IPv6
— a web-based authenticated client uses an IPv6 address.
n/a-no info
— DHCP snooping is enabled but no MAC-to-IP address binding for a client is found in the DHCP binding table.
Output for the show port-access web-based clients detailed command
HP Switch (config)# show port-access web-based clients 1 detailed Port Access Web-Based Client Status Detailed Client Base Details : Port : 1 Session Status : authenticated Session Time(sec) : 6 Username : webuser1 MAC Address : 0010b5-891a9e IP : n/a Access Policy Details : COS Map : 11111111 In Limit % : 98 Untagged VLAN : 4006 Out Limit % : 100 Tagged VLANs : 1, 3, 5, 6, 334, 2566 RADIUS-ACL List : deny in udp from any to 10.2.8.233 CNT Hit Count: 0 permit in udp from any to 10.2.8.233 CNT Hit Count: 0 deny in tcp from any to 10.2.8.233 CNT Hit Count: 0 permit in tcp from any to 10.2.8.233 CNT Hit Count: 0 permit in tcp from any to 0.0.0.0/0 CNT Hit Count: 0
Syntax:
Displays the currently configured web-based authentication settings for all switch ports or specified ports, including:
Temporary DHCP base address and mask.
Support for RADIUS-assigned dynamic VLANs (
Yes
orNo
).Controlled direction setting for transmitting Wake-on-LAN traffic on egress ports.
Authorized and unauthorized VLAN IDs.
If the authorized or unauthorized VLAN ID value is
0
, the default VLAN ID is used unless overridden by a RADIUS-assigned value.
Output for the show port-access web-based config command
HP Switch (config)# show port-access web-based config Port Access Web-Based Configuration DHCP Base Address : 192.168.0.0 DHCP Subnet Mask : 255.255.255.0 DHCP Lease Length : 10 Allow RADIUS-assigned dynamic (GVRP) VLANs [No] : No Access Denied Message : System Default Client Client Logoff Re-Auth Unauth Auth Cntrl Port Enabled Limit Moves Period Period VLAN ID VLAN ID Dir ----- -------- ------ ------ ------- ------- -------- -------- ----- 1 Yes 1 No 300 0 0 0 both 2 Yes 1 No 300 0 0 0 in
Syntax:
Displays more detailed information on the currently configured web-based authentication settings for specified ports.
Output for the show port-access web-based config detail command
Switch (config)# show port-access web-based config 1 detailed Port Access Web-Based Detailed Configuration Port : 1 Web-based enabled : Yes Client Limit : 1 Client Moves : No Logoff Period : 300 Re-Auth Period : 0 Unauth VLAN ID : 0 Auth VLAN ID : 0 Max Requests : 3 Quiet Period : 60 Server Timeout : 30 Max Retries : 3 SSL Enabled : No Redirect URL :
Syntax:
Displays the currently configured web authentication settings for all switch ports or specified ports and includes RADIUS server-specific settings, such as:
Timeout waiting period.
Number of timeouts supported before authentication login fails.
Length of time (quiet period) supported between authentication login attempts.
Output for the show port-access web-based config auth-server command
Switch (config)# show port-access web-based config auth-server Port Access Web-Based Configuration Client Client Logoff Re-Auth Max Quiet Server Port Enabled Limit Moves Period Period Req Period Timeout ----- -------- ------ ------ ------- -------- ---- ------- -------- 1 Yes 1 No 300 0 3 60 30 2 No 1 No 300 0 3 60 30 ...