HP ProCurve 9304M Security Manual page 100

Security Guide for ProCurve 9300/9400 Series Routing Switches
Syntax: servertimeout <seconds>
Specifying a Timeout for Retransmission of EAP-Request Frames to the Client
Acting as an intermediary between the RADIUS Authentication Server and the Client, the HP device receives
RADIUS messages from the RADIUS server, encapsulates them as EAPOL frames, and sends them to the Client.
When the HP device relays an EAP-Request frame from the RADIUS server to the Client, it expects to receive a
response from the Client within 30 seconds. If the Client does not respond within the allotted time, the device
retransmits the EAP-Request frame to the Client. The time constraint for retransmission of EAP-Request frames
to the Client can be between 0 – 4294967295 seconds.
For example, to configure the device to retransmit an EAP-Request frame if the Client does not respond within 45
seconds, enter the following command:
ProCurveRS(config-dot1x)# supptimeout 45
Syntax: supptimeout <seconds>
Initializing 802.1X on a Port
To initialize 802.1X port security on a port, enter a command such as the following:
ProCurveRS# dot1x initialize e 3/1
Syntax: dot1x initialize <portnum>
Allowing Access to Multiple Hosts
HP devices support 802.1X authentication for ports with more than one host connected to them. Multiple-host
authentication works differently according to the software release running on the HP device:
• In releases prior to 07.8.00, services are provided on a port based on the authentication of a single Client.
When one Client is successfully authenticated, all hosts connected to the port are allowed access to the
network. See "Configuring 802.1X Multiple-Host Authentication (Releases Prior to 07.8.00)".
• Starting in release 07.8.00, if there are multiple hosts connected to a single 802.1X-enabled port, the HP
device authenticates each of them individually. See "Configuring 802.1X Multiple-Host Authentication
(Release 07.8.00 and Later)".
Configuring 802.1X Multiple-Host Authentication (Releases Prior to 07.8.00)
To enable 802.1X port security in a multiple-host configuration, an HP device running a release prior to 07.8.00
must be configured to allow multiple Clients on the same port. When one Client is successfully authenticated, all
Clients connected to the port are allowed access to the network. When the authenticated Client logs off the
network, the port becomes unauthorized again. Each time an authenticated Client logs off, the port becomes
unauthorized.
To allow multiple 802.1X Clients on the same port, enter the following command:
ProCurveRS(config-if-3/1)# dot1x multiple-hosts
Syntax: [no] dot1x multiple-hosts
By default multiple-host access is disabled. See Figure 4.7 on page 4-29 for a sample 802.1X configuration with
multiple hosts connected to one port.
NOTE: When the port-control parameter on an 802.1X-enabled interface is set to force-authorized, the HP
device allows connections from multiple Clients, regardless of whether the multiple-hosts parameter is used in
the interface's configuration.
Configuring 802.1X Multiple-Host Authentication (Release 07.8.00 and Later)
When multiple hosts are connected to the same 802.1X-enabled port, the functionality described in "How 802.1X
Multiple-Host Authentication Works (Release 07.8.00 and Later)" on page 4-7 is enabled by default. You can
optionally do the following:
4 - 14 June 2005