Table of Contents
Advertisement
User profile assignment
You can specify a user profile for an 802.1X user to control the user's access to network resources.
After the user passes 802.1X authentication, the authentication server assigns the user profile to the
user for filtering traffic. The authentication server can be the local access device or a RADIUS server.
In either case, you must configure the user profile on the access device.
To change the user's access permissions, you can use one of the following methods:
•
Modify the user profile configuration on the access device.
•
Specify another user profile for the user on the authentication server.
For more information about user profiles, see "Configuring user profiles."
EAD assistant
Endpoint Admission Defense (EAD) is an integrated endpoint access control solution of Hewlett
Packard Enterprise. The solution improves the threat defensive capability of a network. The solution
enables the security client, security policy server, access device, and third-party server to operate
together. If a terminal device seeks to access an EAD network, it must have an EAD client, which
performs 802.1X authentication.
EAD assistant enables the access device to redirect a user who is seeking to access the network to
download and install an EAD client. This feature eliminates the administrative task to deploy EAD
clients.
The EAD assistant feature is implemented by the following functionalities:
•
Free IP.
A free IP is a freely accessible network segment, which has a limited set of network resources
such as software and DHCP servers. To ensure security strategy compliance, an
unauthenticated user can access only this segment to perform operations. For example, the
user can download EAD client from a software server or obtain a dynamic IP address from a
DHCP server.
•
Redirect URL.
If an unauthenticated 802.1X user is using a Web browser to access the network, the EAD
assistant feature redirects the user to a specific URL. For example, you can use this feature to
redirect the user to the EAD client software download page.
The EAD assistant feature automatically creates an ACL-based EAD rule to open access to the
redirect URL for each redirected user.
EAD rules are implemented by using ACL resources. When the EAD rule timer expires or the user
passes authentication, the rule is removed. If users fail to download EAD client or fail to pass
authentication before the timer expires, they must reconnect to the network to access the free IP.
Configuration prerequisites
Before you configure 802.1X, complete the following tasks:
•
Configure an ISP domain and AAA scheme (local or RADIUS authentication) for 802.1X users.
•
If RADIUS authentication is used, create user accounts on the RADIUS server.
•
If local authentication is used, create local user accounts on the access device and set the
service type to lan-access.
For more information about RADIUS client configuration, see "Configuring AAA."
79
Advertisement
Table of Contents
Troubleshooting
