HP ProCurve 9304M Security Manual page 92

Routing switches

Hide thumbs Also See for ProCurve 9304M:

Management and configuration manual (690 pages)

Installation and configuration manual (504 pages)

Installation and getting started manual (348 pages)

Table Of Contents

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

page of 172

/ 172
Contents
Table of Contents
Bookmarks

Table of Contents

Security Guide for ProCurve 9300/9400 Series Routing Switches

on both the clients and the authentication servers, the roll out, maintenance, and scalability of this

authentication method is much more complex than other methods. EAP-TLS is best for installations with

existing PKI certificate infrastructures.

•

EAP-TTLS (Internet-Draft) – The EAP Tunneled Transport Level Security (TTLS) is an extension of EAP-TLS

Like TLS, EAP-TTLS provides strong authentication; however it requires only the authentication server to be

validated by the client through a certificate exchange between the server and the client. Clients are

authenticated by the authentication server using user names and passwords.

A TLS tunnel can be used to protect EAP messages and existing user credential services such as Active

Directory, RADIUS, and LDAP. Backward compatibility for other authentication protocols such as PAP, CHAP,

MS-CHAP, and MS-CHAP-V2 are also provided by EAP-TTLS. EAP-TTLS is not considered foolproof and

can be fooled into sending identity credentials if TLS tunnels are not used. EAP-TTLS is suited for

installations that require strong authentication without the use of mutual PKI digital certificates.

•

PEAP (Internet-Draft) – Protected EAP Protocol (PEAP) is an Internet-Draft that is similar to EAP-TTLS.

PEAP client authenticates directly with the backend authentication server. The authenticator acts as a pass

through device, which does not need to understand the specific EAP authentication protocols.

Unlike EAP-TTLS, PEAP does not natively support user name and password to authenticate clients against

an existing user database such as LDAP. PEAP secures the transmission between the client and

authentication server with a TLS encrypted tunnel. PEAP also allows other EAP authentication protocols to

be used. It relies on the mature TLS keying method for its key creation and exchange. PEAP is best suited for

installations that require strong authentication without the use of mutual certificates.

NOTE: If the 802.1X Client will be sending a packet that is larger than 1500 bytes, then the following must be

configured on the HP device:

•

On devices with EP modules, default-mtu 1700 must be configured.

•

On devices with Standard modules, jumbo 1920 must be configured.

Configuration for these challenge types is the same as for the EAP-MD5 challenge type.

Authenticating Multiple Hosts Connected to the Same Port

HP devices support 802.1X authentication for ports with more than one host connected to them. Figure 4.5

illustrates a sample configuration where multiple hosts are connected to a single 802.1X port.

4 - 6

June 2005

Table of Contents

This manual is also suitable for:

J4139aProcurve 9308mJ4874a Procurve 9408sl J4138a J8680a ... Show all

HP ProCurve 9304M Security Manual page 92

Related Manuals for HP ProCurve 9304M

Related Products for HP ProCurve 9304M

This manual is also suitable for:

Table of Contents