HP ProCurve 9304M Security Manual page 128

Security Guide for ProCurve 9300/9400 Series Routing Switches
• The MAC session is manually deleted with the mac-authentication clear-mac-session command
• The MAC address that caused the port to be dynamically assigned to a VLAN ages out
For example, say port 1/1 is currently in VLAN 100, to which it was assigned when MAC address 0007.eaa1.e90f
was authenticated by a RADIUS server. The port was originally configured to be in VLAN 111. If the MAC
session for address 0007.eaa1.e90f is deleted, then port 1/1 is moved from VLAN 100 back into VLAN 111.
You can optionally specify an alternate VLAN to which to move the port when the MAC session for the address is
deleted. For example, to place the port in the restricted VLAN, enter commands such as the following:
ProCurveRS(config)# interface e 3/1
ProCurveRS(config-if-e100-3/1)# mac-auth move-back-to-old-vlan port-restrict-vlan
Syntax: [no] mac-authentication move-back-to-old-vlan disable | port-configured-vlan | system-default-vlan
The disable keyword disables moving the port back to its original VLAN. The port would stay in its RADIUS­
assigned VLAN.
The port-configured-vlan keyword removes the port from its RADIUS-assigned VLAN and places it back in the
VLAN where it was originally assigned. This is the default.
The port-restrict-vlan keyword removes the port from its RADIUS-assigned VLAN and places it in the restricted
VLAN.
The system-default-vlan keyword removes the port from its RADIUS-assigned VLAN and places it in the
DEFAULT-VLAN.
Saving Dynamic VLAN Assignments to the Startup-Config File
You can configure the HP device to save the RADIUS-specified VLAN assignments to the device's startup-config
file. To do this, enter the following command:
ProCurveRS(config)# mac-authentication save-dynamicvlan-to-config
Syntax: [no] mac-authentication save-dynamicvlan-to-config
By default, the dynamic VLAN assignments are not saved to the startup-config file. Entering the show running-
config command does not display dynamic VLAN assignments, although they can be displayed with the show
vlan and show authenticated-mac-address detail commands.
Enabling Denial of Service Attack Protection
The HP device does not start forwarding traffic from an authenticated MAC address in hardware until the RADIUS
server authenticates the MAC address; traffic from the non-authenticated MAC addresses is sent to the CPU. A
denial of service (DoS) attack could be launched against the device where a high volume of new source MAC
addresses is sent to the device, causing the CPU to be overwhelmed with performing RADIUS authentication for
these MAC addresses. In addition, the high CPU usage in such an attack could prevent the RADIUS response
from reaching the CPU in time, causing the device to make additional authentication attempts.
To limit the susceptibility of the HP device to such attacks, you can configure the device to use multiple RADIUS
servers, which can share the load when there are a large number of MAC addresses that need to be
authenticated. The HP device can run a maximum of 10 RADIUS clients per server and will attempt to
authenticate with a new RADIUS server if current one times out.
In addition, you can configure the HP device to limit the rate of authentication attempts sent to the RADIUS server.
When the multi-device port authentication feature is enabled, it keeps track of the number of RADIUS
authentication attempts made per second. When you also enable the DoS protection feature, if the number of
RADIUS authentication attempts for MAC addresses learned on an interface per second exceeds a configurable
rate (by default 512 authentication attempts per second), the device considers this a possible DoS attack and
disables the port. You must then manually re-enable the port.
The DoS protection feature is disabled by default. To enable it on an interface, enter commands such as the
following:
ProCurveRS(config)# interface e 3/1
6 - 6 June 2005