Do these steps before you configure 802.1X operation:
-
Configure a local username and password on the switch for both the operator (login) and manager (enable) access levels. (While this may or may not be required for your 802.1X configuration, HP recommends that you use a local username and password pair at least until your other security measures are in place.)
-
Enable
include-credentials
. Theport-access
option is available only ifinclude-credentials
is enabled. See Security settings that can be saved.For switches covered in this guide, the local operator password configured with the password command is not accepted as an 802.1X authenticator credential. The port-access command is used to configure the operator username and password that are used as 802.1X credentials for network access to the switch. 802.1X network access is not allowed unless a password has been configured using the
password port-access
command.Syntax:
Configures the operator username and password used to access the network through 802.1X authentication.
You can save the port-access password for 802.1X authentication in the configuration file by using the
include-credentials
command. For more information, see Saving security credentials in a config file. -
Determine the switch ports that you want to configure as authenticators and/or supplicants, and disable LACP on these ports. (For more information on disabling LACP, see “Note”).
To display the current configuration of 802.1X, Web-based, and MAC authentication on all switch ports, enter the
show port-access config
command.Output for the show port-access config command
HP Switch (config)# show port-access config Port-access authenticator activated [No] : No Allow RADIUS-assigned dynamic (GVRP) VLANs [No] : No Supplicant Authenticator Web-Auth Mac-Auth LMA-Auth Ctrl Mixed Speed Port Enabled Enabled Enabled Enabled Enabled Dir Mode VSA MBV ---- --------- ------------ -------- -------- -------- ----- ---- ---- --- C1 No Yes No No No In No Yes Yes C2 No Yes No No No Both Yes Yes Yes C3 No Yes No No No Both No No Yes C4 No Yes No No Yes Both No Yes Yes ...
-
Determine whether to use user-based access control, see 802.1X user-based access control or port-based access control, see 802.1X port-based access control.
-
Determine whether to use the optional 802.1X Open VLAN mode for clients that are not 802.1X-aware; that is, for clients that are not running 802.1X supplicant software. (This will require you to provide downloadable software that the client can use to enable an authentication session.) See 802.1X Open VLAN mode.
-
For any port you want to operate as a supplicant, determine the user credentials. You can either use the same credentials for each port or use unique credentials for individual ports or subgroups of ports. (This can also be the same local username/password pair that you assign to the switch.)
-
Unless you are using only the switch’s local username and password for 802.1X authentication, configure at least one RADIUS server to authenticate access requests coming through the ports on the switch from external supplicants (including switch ports operating as 802.1X supplicants). You can use up to three RADIUS servers for authentication; one primary and two backups. See the documentation provided with your RADIUS application.
This section outlines the steps for configuring 802.1X on the switch. For detailed information on each step, see the following:
-
Enable 802.1X user-based or port-based authentication on the individual ports you want to serve as authenticators. On the ports you will use as authenticators, either accept the default 802.1X settings or change them, as necessary. Note that, by default, the port-control parameter is set to
auto
for all ports on the switch. This requires a client to support 802.1X authentication and to provide valid credentials to get network access. See Enable 802.1X authentication on selected ports. -
If you want to provide a path for clients without 802.1X supplicant software to download the software so that they can initiate an authentication session, enable the 802.1X Open VLAN mode on the ports you want to support this feature. See 802.1X Open VLAN mode.
-
Configure the 802.1X authentication type. Options include:
-
Local operator username and password (using the
password port-access
command). -
EAP RADIUS: This option requires your RADIUS server application to support EAP authentication for 802.1X
-
CHAP (MD5) RADIUS: This option requires your RADIUS server application to support CHAP (MD5) authentication. See Configure the 802.1X authentication method.
-
-
If you select either
eap-radius
orchap-radius
for step 3, use theradius host
command to configure up to three RADIUS server IP address(es) on the switch. See Enter the RADIUS host IP address(es). -
Enable 802.1X authentication on the switch. See Enable 802.1X authentication on selected ports.
-
Test both the authorized and unauthorized access to your system to ensure that the 802.1X authentication works properly on the ports you have configured for port-access.
NOTE: If you want to implement the optional port security feature (step 7) on the switch, you should first ensure that the ports you have configured as 802.1X authenticators operate as expected.
-
If you are using Port Security on the switch, configure the switch to allow only 802.1X access on ports configured for 802.1X operation, and (if desired) the action to take if an unauthorized device attempts access through an 802.1X port. See Port-Security.
-
If you want a port on the switch to operate as a supplicant on a port operating as an 802.1X authenticator on another device, then configure the supplicant operation. (See Configuring switch ports to operate as supplicants for 802.1X connections to other switches.