Redirect Url Assignment; Smarton - HP FlexNetwork 10500 Series Security Configuration Manual

The EAD assistant feature enables the access device to redirect a user who is seeking to access the
network to download and install an EAD client. This feature eliminates the administrative task to
deploy EAD clients.
EAD assistant is implemented by the following functionality:
•
Free IP.
A free IP is a freely accessible network segment, which has a limited set of network resources
such as software and DHCP servers. To ensure security strategy compliance, an
unauthenticated user can access only this segment to perform operations. For example, the
user can download EAD client from a software server or obtain a dynamic IP address from a
DHCP server.
•
Redirect URL.
If an unauthenticated 802.1X user is using a Web browser to access the network, the EAD
assistant feature redirects the user to a specific URL. For example, you can use this feature to
redirect the user to the EAD client software download page.
The EAD assistant feature creates an ACL-based EAD rule automatically to open access to the
redirect URL for each redirected user.
EAD rules are implemented by using ACL resources. When the EAD rule timer expires or the user
passes authentication, the rule is removed. If users fail to download EAD client or fail to pass
authentication before the timer expires, they must reconnect to the network to access the free IP.

Redirect URL assignment

The device supports the URL attribute assigned by a RADIUS server when the 802.1X-enabled port
performs MAC-based access control and the port authorization state is auto. During authentication,
an 802.1X user is redirected to the Web interface specified by the server-assigned URL attribute.
After the user passes the Web authentication, the RADIUS server records the MAC address of the
Web user and uses a DM (Disconnect Message) to log off the Web user. When the user initiates
802.1X authentication again, it will pass the authentication and come online successfully.
This feature is exclusive with the EAD assistant feature.

SmartOn

The SmartOn feature was developed to support the NEC 802.1X client.
As shown in
authentication. The following shows the authentication process:
1. When a SmartOn-enabled port receives an EAPOL-Start packet from an 802.1X client, it sends
a unicast EAP-Request/Notification packet to the client for SmartOn authentication.
2. Upon receiving an EAP-Response/Notification from the client, the device compares the switch
ID and password in the packet with the switch ID and password configured on the device.
If they are the same, 802.1X authentication can continue.
If they do not match, SmartOn authentication fails. The access device stops 802.1X
authentication for the client.
Figure 35, the access device performs SmartOn authentication before 802.1X
83