Including User Ip Addresses In Mac Authentication Requests - HPE FlexNetwork 10500 Series Security Configuration Manual
Hide thumbs
Also See for FlexNetwork 10500 Series:
- Security command reference (881 pages) ,
- Network management and monitoring command reference (423 pages) ,
- Configuration manual (407 pages)
Table of Contents
Advertisement
Step
5.
(Optional.) Set the periodic
reauthentication timer on the
port.
6.
(Optional.) Enable the
keep-online feature for
authenticated MAC
authentication users on the
port.
Including user IP addresses in MAC
authentication requests
This feature enables the device to add user IP addresses to the MAC authentication requests that
are sent to an IMC server.
Upon receiving an authentication request, the IMC server compares the user IP and MAC addresses
in the request with its local IP-MAC mapping of the user. If a match is found, the IMC server verifies
the user valid. If no match is found, the user fails the MAC authentication.
The IMC server selects the IP-MAC combination for a MAC authentication user to match in the
following order:
1.
The IP and MAC addresses in the IMC platform user account associated with the MAC
authentication user.
2.
The IP and MAC addresses that are included in the authentication request. If the server does
not have an authenticated IP-MAC record for the user, it determines that the IP-MAC
combination of the user is valid. The server will record the IP-MAC combination of the user. If
the user IP address is changed at the next authentication, the user cannot pass authentication.
When you configure this feature, follow these guidelines and restrictions:
•
This feature takes effect only on MAC authentication users that use static IP addresses. Users
that obtain IP addresses through DHCP are not affected.
•
Do not configure this feature together with the MAC authentication guest VLAN or VSI on a port.
Otherwise, users in the MAC authentication guest VLAN or VSI cannot perform a new round of
authentication.
•
Do not configure this feature together with free VLANs for port security. For information about
free VLANs, see
•
Do not configure this feature on Layer 2 aggregate interfaces.
To include user IP addresses in MAC authentication requests:
Step
1.
Enter system view.
2.
Enter interface view.
3.
Include user IP addresses in
MAC authentication requests.
Command
mac-authentication timer
reauth-period
reauth-period-value
mac-authentication
re-authenticate
server-unreachable keep-online
"Configuring port
security."
Command
system-view
interface interface-type
interface-number
mac-authentication carry
user-ip
155
Remarks
By default, no periodic
reauthentication timer is set on
a port. The port uses the global
periodic MAC reauthentication
timer.
By default, the keep-online
feature is disabled.
Remarks
N/A
N/A
By default, a MAC
authentication request does not
include the user IP address.
Advertisement
Table of Contents
Troubleshooting
