A Ctions - HP ProCurve 9304M Security Manual

Routing switches

Hide thumbs Also See for ProCurve 9304M:

Management and configuration manual (690 pages)

Installation and configuration manual (504 pages)

Installation and getting started manual (348 pages)

Table Of Contents

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

page of 172

/ 172
Contents
Table of Contents
Bookmarks

Table of Contents

Security Guide for ProCurve 9300/9400 Series Routing Switches

3. The HP device performs 802.1X authentication for the Client. Messages are exchanged between the HP

device and the Client, and between the device and the Authentication Server (RADIUS server). The result of

this process is that the Client is either successfully authenticated or not authenticated, based on the

username and password supplied by the client.

4. If the Client is successfully authenticated, the Client's dot1x-mac-session is set to "access-is-allowed". This

means that traffic from the Client can be forwarded normally.

5. If authentication for the Client is unsuccessful, an authentication-failure action is taken. The

authentication-failure action can be either to drop traffic from the Client in hardware (the default), or to place

the port in a "restricted" VLAN.

•

If the authentication-failure action is to drop traffic from the Client, then the device waits for a specified

amount of time (defined with the timeout quiet-period command, by default 60 seconds), then attempts

to authenticate the Client again. After three unsuccessful authentication attempts, the Client's dot1x-

mac-session is set to "access-denied", causing traffic from the Client to be dropped in hardware.

You can optionally configure the number of authentication attempts the device makes before dropping

traffic from the Client. See "Specifying the Number of Authentication Attempts the Device Makes Before

Dropping Packets" on page 4-15 for information on how to do this.

•

If the authentication-failure action is to place the port in a "restricted" VLAN, If the Client's dot1x-mac-

session is set to "access-restricted" then the port is moved to the specified restricted VLAN, and traffic

from the Client is forwarded normally.

6. When the Client disconnects from the network, the HP device deletes the Client's dot1x-mac-session. This

does not affect the dot1x-mac-session or authentication status (if any) of the other hosts connected on the

port.

Notes

•

The Client's dot1x-mac-session establishes a relationship between the username and MAC address used for

authentication. If a user attempts to gain access from different Clients (with different MAC addresses), he or

she would need to be authenticated from each Client.

•

If a Client has been denied access to the network (that is, the Client's dot1x-mac-session is set to "access

denied"), then you can cause the Client to be re-authenticated by manually disconnecting the Client from the

network, or by using the clear dot1x mac-session command. See "Clearing a dot1x-mac-session for a MAC

Address" on page 4-16 for information on this command.

•

When a Client has been denied access to the network, its dot1x-mac-session is aged out if no traffic is

received from the Client's MAC address over a fixed hardware aging period (70 seconds), plus a configurable

software aging period. You can optionally change the software aging period for dot1x-mac-sessions or

disable aging altogether. After the denied Client's dot1x-mac-session is aged out, traffic from that Client is no

longer blocked, and the Client can be re-authenticated.

In addition, you can configure disable aging for the dot1x-mac-session of Clients that have been granted

either full access to the network, or have been placed in a restricted VLAN. After a Client's dot1x-mac-

session ages out, the Client must be re-authenticated. See "Disabling Aging for dot1x-mac-sessions" on

page 4-15 for more information.

•

Dynamic IP ACL and MAC address filter assignment is not supported in an 802.1X multiple-host

configuration. If a RADIUS server returns an Access-Accept message that specifies an IP ACL or MAC

address filter for the Client, these attributes are ignored.

Dynamic VLAN Assignment in an 802.1X Multiple-Host Configuration (Release 07.8.00 and

Later)

Dynamic VLAN assignment allows an 802.1X-enabled port to be assigned to a VLAN based on information

received from the RADIUS server. Attributes in the RADIUS Access-Accept message can specify a VLAN

identifier; if this VLAN is available on the HP device, the Client's port can be moved from its default VLAN to the

specified VLAN.

4 - 8

June 2005

Table of Contents

This manual is also suitable for:

J4139aProcurve 9308mJ4874a Procurve 9408sl J4138a J8680a ... Show all

A Ctions - HP ProCurve 9304M Security Manual

Related Manuals for HP ProCurve 9304M

Related Products for HP ProCurve 9304M

This manual is also suitable for:

Table of Contents