This task configures the individual ports you want to operate as 802.1X authenticators for point-to-point links to 802.1X-aware clients or switches, and consists of two steps:
-
Enable the selected ports as authenticators.
-
Specify either user-based or port-based 802.1X authentication.
(Actual 802.1X operation does not commence until you activate 802.1X authentication on the switch.)
|
|
NOTE: If you enable 802.1X authentication on a port, the switch automatically disables LACP on that port. However, if the port is already operating in an LACP trunk, you must remove the port from the trunk before you can configure it for 802.1X authentication. |
|
|
Syntax:
Enables specified ports to operate as 802.1X authenticators and enables port-based authentication. (To enable user-based authentication, execute this command first, and then execute the client-limit <port-list> version of this command described in the next section.) The
no
form of the command removes 802.1X authentication from <port-list>. To activate configured 802.1X operation, you must enable 802.1X authentication. See Enable 802.1X authentication on the switch.
User-based 802.1X authentication:
Syntax:
Used after executing
aaa port-access authenticator <
to convert authentication from port-based to user-based. Specifies user-based 802.1X authentication and the maximum number of 802.1X-authenticated client sessions allowed on each of the ports inport-list
><
. If a port currently has no authenticated client sessions, the next authenticated client session the port accepts determines the untagged VLAN membership to which the port is assigned during the session. If another client session begins later on the same port while an earlier session is active, the later session will be on the same untagged VLAN membership as the earlier session.port-list
>
NOTE: The client limit is 256 clients per-port for MAC-auth and Web-auth; the client limit for 802.1X is 32 clients per port. The MAC-auth and Web-auth limit of 256 clients only applies when there are fewer than 16,384 authentication clients on the entire switch. After the limit of 16, 384 clients is reached, no additional authentication clients are allowed on any port for any method.
Port-based 802.1X authentication:
Syntax:
Used to convert a port from user-based authentication to port-based authentication, which is the default setting for ports on which authentication is enabled. (Executing
aaa port-access authenticator <
enables 802.1X authentication onport-list
><
and enables port-based authentication.) If a port currently has no authenticated client sessions, the next authenticated client session the port accepts determines the untagged VLAN membership to which the port is assigned during the session. If another authenticated client session begins later on the same port while an earlier session is active, the later session replaces the currently active session and will be on the untagged VLAN membership specified by the RADIUS server for the later session.port-list
>
Configuring user-based 802.1X authentication enables ports 10-12 to operate as authenticators, and then configures the ports for user-based authentication.
Configuring user-based 802.1X authentication
HP Switch(config)# aaa port-access authenticator 10-12 HP Switch(config)# aaa port-access authenticator 10-12 client-limit 4
Configuring port-based 802.1X authentication enables ports 13-15 to operate as authenticators, and then configures the ports for port-based authentication.
The commands in this section are initially set by default and can be reconfigured as needed.
Syntax:
Controls authentication mode on the specified port:
Also termed “Force Authorized”. Gives access to a device connected to the port. In this case, the device does not have to provide 802.1X credentials or support 802.1X authentication. (You can still configure console, Telnet, or SSH security on the port.)
The device connected to the port must support 802.1X authentication and provide valid credentials to get network access. (Optional: You can use the Open VLAN mode to provide a path for clients without 802.1X supplicant software to down-load this software and begin the authentication process. See 802.1X Open VLAN mode.)
Also termed “Force Unauthorized”. Do not grant access to the network, regardless of whether the device provides the correct credentials and has 802.1X support. In this state, the port blocks access to any connected device.
Sets the period during which the port does not try to acquire a supplicant. The period begins after the last attempt authorized by the
max-requests
parameter fails. (Default: 60 seconds)Sets the period the port waits to retransmit the next EAPOL PDU during an authentication session. (Default: 30 seconds)
Sets the period of time the switch waits for a supplicant response to an EAP request. If the supplicant does not respond within the configured time frame, the session times out. (Default: 30 seconds)
Sets the period of time the switch waits for a server response to an authentication request. If there is no response within the configured time frame, the switch assumes that the authentication attempt has timed out. Depending on the current
max-requests
setting, the switch will either send a new request to the server or end the authentication session. (Default: 30 seconds)Sets the number of authentication attempts that must time-out before authentication fails and the authentication session ends. If you are using the Local authentication option, or are using RADIUS authentication with only one host server, the switch will not start another session until a client tries a new access attempt. If you are using RADIUS authentication with two or three host servers, the switch will open a session with each server, in turn, until authentication occurs or there are no more servers to try. During the
quiet-period
, if any, you cannot reconfigure this parameter. (Default: 2)Sets the period of time after which clients connected must be re-authenticated. When the timeout is set to 0 the reauthentication is disabled (Default: 0 second)
Configures an existing static VLAN to be the Unauthorized- Client VLAN. This enables you to provide a path for clients without supplicant software to download the software and begin an authentication session. See 802.1X Open VLAN mode.
Configures the period of time the switch waits for client activity before removing an inactive client from the port. (Default: 300 seconds)
Configures an existing, static VLAN to be the Authorized-Client VLAN. See 802.1X Open VLAN mode.
Specifies a delay in seconds for placing a port on the Unauthorized-Client VLAN. This delay allows more time for a client with 802.1X supplicant capability to initiate an authentication session. If a connected client does not initiate a session before the timer expires, the port is assigned to the Unauthenticated-Client VLAN. (Default: 0 seconds)
This task specifies how the switch authenticates the credentials provided by a supplicant connected to a switch port configured as an 802.1X authenticator.
You can configure local
, chap-radius
or eap-radius
as the primary password authentication method for the port-access method. You also need to select none
or authorized
as a secondary, or backup, method.
Syntax:
Configures
local
,chap-radius
oreap-radius
as the primary password authentication method for port-access. The default primary authentication islocal
. (See the documentation for your RADIUS server application.)For switches covered in this guide, you must use the
password port-access
command to configure the operator username and password for 802.1X access.
To enable the switch to perform 802.1X authentication using one or more EAP-capable RADIUS servers:
If you select either eap-radius
or chap-radius
for the authentication method, configure the switch to use 1, 2, or 3 RADIUS servers for authentication. The following syntax shows the basic commands. For coverage of all commands related to RADIUS server configuration, see RADIUS Authentication, Authorization, and Accounting.
Syntax:
Adds a server to the RADIUS configuration.
The
oobm
option specifies that the RADIUS traffic will go through the out-of-band management (OOBM) port.Optional. Specifies an encryption key for use during authentication (or accounting) sessions with the specified server. This key must match the key used on the RADIUS server. Use this option only if the specified server requires a different key than configured for the global encryption key. The tilde (~) character is allowed in the string. It is not backward compatible; the “~” character is lost if you use a software version that does not support the “~” character.
Syntax:
Specifies the global encryption key the switch uses for sessions with servers for which the switch does not have a server-specific key. This key is optional if all RADIUS server addresses configured in the switch include a server-specific encryption key. The tilde (~) character is allowed in the string, for example,
radius-server key hp~switch
. It is not backward compatible; the “~” character is lost if you use a software version that does not support the “~” character.The
no
form of the command removes the global encryption key.
After configuring 802.1X authentication as described in the preceding four sections, activate it with this command:
Syntax:
While 802.1X authentication is operating, you can use the following aaa port-access authenticator
commands to reset 802.1X authentication and statistics on specified ports.
Syntax:
After you enable 802.1X authentication on specified ports, you can use the aaa port-access controlled-direction
command to configure how a port transmits traffic before it successfully authenticates a client and enters the authenticated state.
As documented in the IEEE 802.1X standard, an 802.1X-aware port that is unauthenticated can control traffic in either of the following ways:
Prerequisite:
As documented in the IEEE 802.1X standard, the disabling of incoming traffic and transmission of outgoing traffic on an 802.1X-aware egress port in an unauthenticated state (using the aaa port-access controlled-direction in
command) is supported only if:
-
The port is configured as an edge port in the network using the
spanning-tree edge-port
command. -
The 802.1s Multiple Spanning Tree Protocol (MSTP) or 802.1w Rapid Spanning Tree Protocol (RSTP) is enabled on the switch. MSTP and RSTP improve resource utilization while maintaining a loop-free network.
For information on how to configure the prerequisites for using the aaa port-access controlled-direction in
command, see “Multiple Instance Spanning-Tree Operation” in the Advanced Traffic Management Guide.
Syntax:
The Wake-on-LAN feature is used by network administrators to remotely power on a sleeping workstation (for example, during early morning hours to perform routine maintenance operations, such as patch management and software updates).
The aaa port-access controlled-direction in
command allows Wake-on-LAN traffic to be transmitted on an 802.1X-aware egress port that has not yet transitioned to the 802.1X authenticated state; the controlled-direction both
setting prevents Wake-on-LAN traffic to be transmitted on an 802.1X-aware egress port until authentication occurs.
|
|
NOTE: Although the |
|
|
-
Using the
aaa port-access controlled-direction in
command, you can enable the transmission of Wake-on-LAN traffic on unauthenticated egress ports that are configured for any of the following port-based security features:Because a port can be configured for more than one type of authentication to protect the switch from unauthorized access, the last setting you configure with the
aaa port-access controlled-direction
command is applied to all authentication methods configured on the switch. See Web and MAC Authentication.
Configuring 802.1X controlled directions shows how to enable the transmission of Wake-on-LAN traffic in the egress direction on an 802.1X-aware port before it transitions to the 802.1X authenticated state and successfully authenticates a client device.
When a PC is connected through an IP phone to a switch port that has been authorized using 802.1X or Web/MAC authentication, the IP phone is authenticated using client-based 802.1X or Web/MAC authentication and has access to secure, tagged VLANs on the port. If the PC is unauthenticated, it needs to have access to the insecure guest VLAN (unauthenticated VLAN) that has been configured for 802.1X or Web/MAC authentication. 802.1X and Web/MAC authentication normally do not allow authenticated clients (the phone) and unauthenticated clients (the PC) on the same port.
Mixed port access mode allows 802.1X and Web/MAC authenticated and unauthenticated clients on the same port when the guest VLAN is the same as the port’s current untagged authenticated VLAN for authenticated clients, or when none of the authenticated clients are authorized on the untagged authenticated VLAN. Instead of having just one client per port, multiple clients can use the guest VLAN.
Authenticated clients always have precedence over guests (unauthenticated clients) if access to a client’s untagged VLAN requires removal of a guest VLAN from the port. If an authenticated client becomes authorized on its untagged VLAN as the result of initial authentication or because of an untagged packet from the client, then all 802.1X or Web/MAC authenticated guests are removed from the port and the port becomes an untagged member of the client’s untagged VLAN.
-
The port sends broadcast traffic from the VLANs even when there are only guests authorized on the port.
-
Guests can use the same bandwidth, rate limits and QoS settings that may be assigned for authenticated clients on the port (via RADIUS attributes).
-
When no authenticated clients are authorized on the untagged authenticated VLAN, the port becomes an untagged member of the guest VLAN for as long as no untagged packets are received from any authenticated clients on the port.
-
New guest authorizations are not allowed on the port if at least one authenticated client is authorized on its untagged VLAN and the guest VLAN is not the same as the authenticated client’s untagged VLAN.
|
|
NOTE: If you disable mixed port access mode, this does not automatically remove guests that have already been authorized on a port where an authenticated client exists. New guests are not allowed after the change, but the existing authorized guests will still be authorized on the port until they are removed by a new authentication, an untagged authorization, a port state change, and so on. |
|
|