HP ProCurve 9304M Security Manual page 102

Security Guide for ProCurve 9300/9400 Series Routing Switches
To disable aging of the denied dot1x-mac-sessions, enter the following command:
ProCurveRS(config-dot1x)# mac-session-aging no-aging denied-mac-only
Syntax: [no] mac-session-aging no-aging denied-mac-only
Specifying the Aging Time for Blocked Clients
When the HP device is configured to drop traffic from non-authenticated Clients, traffic from the blocked Clients is
dropped in hardware, without being sent to the CPU. A Layer 2 CAM entry is created that drops traffic from the
blocked Client's MAC address in hardware. If no traffic is received from the blocked Client's MAC address for a
certain amount of time, this Layer 2 CAM entry is aged out. If traffic is subsequently received from the Client's
MAC address, then an attempt can be made to authenticate the Client again.
Aging of the Layer 2 CAM entry for a blocked Client's MAC address occurs in two phases, known as hardware
aging and software aging. The hardware aging period is fixed at 70 seconds and is non-configurable. The
software aging time is configurable through the CLI.
Once the HP device stops receiving traffic from a blocked Client's MAC address, the hardware aging begins and
lasts for a fixed period of time. After the hardware aging period ends, the software aging period begins. The
software aging period lasts for a configurable amount of time (by default 120 seconds). After the software aging
period ends, the blocked Client's MAC address ages out, and can be authenticated again if the HP device receives
traffic from the Client's MAC address.
To change the length of the software aging period for a blocked Client's MAC address, enter a command such as
the following:
ProCurveRS(config)# mac-session-aging max-age 180
Syntax: [no] mac-session-aging max-age <seconds>
You can specify from 1 – 65535 seconds. The default is 120 seconds.
Clearing a dot1x-mac-session for a MAC Address
You can clear the dot1x-mac-session for a specified MAC address, so that the Client with that MAC address can
be re-authenticated by the RADIUS server. For example:
ProCurveRS# clear dot1x mac-session 00e0.1234.abd4
Syntax: clear dot1x mac-session <mac-address>
Defining MAC Filters for EAP Frames
You can create MAC address filters to permit or deny EAP frames. To do this, you specify the HP device's 802.1X
group MAC address as the destination address in a MAC filter, then apply the filter to an interface.
For example, the following command creates a MAC filter that denies frames with the destination MAC address of
0180.c200.0003, which is the HP device's 802.1X group MAC address:
ProCurveRS(config)# mac filter 1 deny any 0180.c200.0003 ffff.ffff.ffff
The following commands apply this filter to interface e 3/1:
ProCurveRS(config)# interface e 3/11
ProCurveRS(config-if-3/1)# mac filter-group 1
See "Defining MAC Address Filters" in the Installation and Basic Configuration Guide for ProCurve 9300 Series
Routing Switches for more information.
Configuring Dynamic VLAN Assignment for 802.1X Ports
Starting in release 07.6.04, HP's 802.1X implementation supports assigning a port to a VLAN dynamically, based
on information received from an Authentication Server.
When a client/supplicant successfully completes the EAP authentication process, the Authentication Server (the
RADIUS server) sends the Authenticator (the HP device) a RADIUS Access-Accept message that grants the client
access to the network. The RADIUS Access-Accept message contains attributes set for the user in the user's
access profile on the RADIUS server.
4 - 16 June 2005