Including User Ip Addresses In Mac Authentication Requests; Enabling Parallel Processing Of Mac Authentication And 802.1X Authentication - HP FlexNetwork 10500 Series Security Configuration Manual
Hide thumbs
Also See for FlexNetwork 10500 Series:
- Configuration manual (512 pages) ,
- Specifications (42 pages) ,
- Datasheet (20 pages)
Table of Contents
Advertisement
Step
1.
Enter system view.
2.
Enter Layer 2 Ethernet
interface view.
3.
Enable the keep-online feature
for authenticated MAC
authentication users on the
port.
Including user IP addresses in MAC
authentication requests
This feature enables the device to add user IP addresses to the MAC authentication requests that
are sent to an IMC server. The IMC server compares the user IP and MAC addresses in a request
with its local IP-MAC mapping of the user. If a match is found, the IMC server verifies the user valid.
If no match is found, the user fails the MAC authentication. For information about IMC user IP-MAC
bindings, see HPE IMC User Access Manager Administrator Guide.
When you configure this feature, follow these guidelines and restrictions:
•
This feature takes effect only on MAC authentication users who use static IP addresses. It
prevents those users from modifying their IP addresses to access the network. Users who
obtain IP addresses through DHCP are not affected.
•
Do not configure this feature together with the MAC authentication guest VLAN on a port. If both
features are configured, users in the MAC authentication guest VLAN cannot perform a new
round of authentication.
To include user IP addresses in MAC authentication requests:
Step
1.
Enter system view.
2.
Enter Layer 2 Ethernet
interface view.
3.
Include user IP addresses in
MAC authentication requests.
Enabling parallel processing of MAC
authentication and 802.1X authentication
This feature enables a port that processes MAC authentication after 802.1X authentication is
finished to process MAC authentication in parallel with 802.1X authentication.
When the port receives a packet from an unknown MAC address, it sends a unicast
EAP-Request/Identity packet to the MAC address. After that, the port immediately processes MAC
authentication without waiting for the 802.1X authentication result.
After MAC authentication succeeds, the port is assigned to the MAC authentication authorization
VLAN.
Command
system-view
interface interface-type
interface-number
mac-authentication
re-authenticate
server-unreachable
keep-online
Command
system-view
interface interface-type
interface-number
mac-authentication carry
user-ip
125
Remarks
N/A
N/A
By default, the keep-online
feature is disabled.
This command takes effect only
when the authentication server
assigns reauthentication
attributes to the device.
Remarks
N/A
N/A
By default, a MAC
authentication request does not
include the user IP address.
Advertisement
Table of Contents
Troubleshooting
