HP ProCurve 9304M Security Manual page 124

Security Guide for ProCurve 9300/9400 Series Routing Switches
The RADIUS server is configured with the usernames and passwords of authenticated users. For multi-device
port authentication, the username and password is the MAC address itself; that is, the device uses the MAC
address for both the username and the password in the request sent to the RADIUS server. For example, given a
MAC address of 0007e90feaa1, the users file on the RADIUS server would be configured with a username and
password both set to 0007e90feaa1. When traffic from this MAC address is encountered on a MAC-
authentication-enabled interface, the device sends the RADIUS server an Access-Request message with
0007e90feaa1 as both the username and password. The format of the MAC address sent to the RADIUS server
is configurable through the CLI.
The request for authentication from the RADIUS server is successful only if the username and password provided
in the request matches an entry in the users database on the RADIUS server. When this happens, the RADIUS
server returns an Access-Accept message back to the HP device. When the RADIUS server returns an Access-
Accept message for a MAC address, that MAC address is considered authenticated, and traffic from the MAC
address is forwarded normally by the HP device.
Authentication-Failure Actions
If the MAC address does not match the username and password of an entry in the users database on the RADIUS
server, then the RADIUS server returns an Access-Reject message. When this happens, it is considered an
authentication failure for the MAC address. When an authentication failure occurs, the HP device can either drop
traffic from the MAC address in hardware (the default), or move the port on which the traffic was received to a
restricted VLAN.
Dynamic VLAN Assignment
The multi-device port authentication feature supports dynamic VLAN assignment, where a port can be placed in
a VLAN based on the MAC address learned on that interface. When a MAC address is successfully
authenticated, the RADIUS server sends the HP device a RADIUS Access-Accept message that allows the HP
device to forward traffic from that MAC address. The RADIUS Access-Accept message can also contain attributes
set for the MAC address in its access profile on the RADIUS server.
If one of the attributes in the Access-Accept message specifies a VLAN identifier, and this VLAN is available on
the HP device, the port is moved from its default VLAN to the specified VLAN.
To enable dynamic VLAN assignment for authenticated MAC addresses, you must add the following attributes to
the profile for the MAC address on the RADIUS server, then enable dynamic VLAN assignment on multi-device
port authentication-enabled interfaces.
Attribute Name
Tunnel-Type
Tunnel-Medium-Type
Tunnel-Private-Group-ID
Support for Authenticating Multiple MAC Addresses on an Interface
The multi-device port authentication feature allows multiple MAC addresses to be authenticated or denied
authentication on each interface. The maximum number of MAC addresses that can be authenticated on each
interface is limited only by the amount of system resources available on the HP device.
Configuring Multi-Device Port Authentication
Configuring multi-device port authentication on the HP device consists of the following tasks:
• Enabling multi-device port authentication globally and on individual interfaces
• Specifying the format of the MAC addresses sent to the RADIUS server (optional)
6 - 2
Type Value
064 13 (decimal) – VLAN
065 6 (decimal) – 802
081 <vlan-name> (string) – either the name or the
number of a VLAN configured on the HP device.
June 2005