802.1X - Port-Based Access Control / Radius Authentication - HP ProCurve 5308XL-48G Supplementary Manual

ICMP rate-limiting operates on an interface (per-port or per-trunk) basis, and it should be
configured to allow the highest expected amount of legitimate inbound ICMP traffic. If an
interface experience an inbound flow of ICMP traffic in excess of its configured limit, the switch
throttles that traffic, and generates a log messages and an SNMP trap (if an SNMP trap receiver
is configured). For example, if a 100 Mbps port negotiates a link to a switch at 100Mbps and is
ICMP rate-limit configured at 5%, then the inbound ICMP traffic flow through that port is limited
to 5 Mbps and any excess ICMP traffic is throttled.
802.1X – Port-based access control / RADIUS Authentication
The IEEE 802.1X standard governs a method for client system network log-in. Through 802.1X
a user is given access to the network only after the ProCurve 5300xl Switch Series (the network
access server) authenticates the user through a RADIUS server. As part of this authentication,
the user can be given specific network access rights, such as assignment to a specific VLAN and
some high level session accounting information can be maintained. (See the next section.)
With a centralized RADIUS server doing the actual authentication, a user can log in anywhere in
the network that supports 802.1X and get access to his resources. This is true whether the log-
in occurs on a shared client, or the user is using a mobile client and accessing the network at
different access points.
One point to note about 802.1X access control is that it is control to the port of the switch. Once
access is given to the switch port, anyone connected through this port will have access to the
services associated with the user that authenticated. If someone inadvertently or clandestinely
places a switch or hub between the network access server and the authenticated client, any port
on the introduced switch or hub has access to the configured network services of the
authenticated client. One way to close this shortfall is to use the Port Security MAC Address
Lockdown feature on the ProCurve 5300xl Switch Series, which is described in a following
section.
ProCurve 5300xl Switch Series supports concurrent authentication methods per port. The switch
allows concurrent operation of 802.1x and either Web Authentication or MAC Authentication.
The combined client limit for a port configured for concurrent authentication is 32.
More details on 802.1X can be found in the white paper on the ProCurve website at
http://www.procurve.com
RADIUS Server Accounting
Most RADIUS servers can provide not only authentication for the user, but can also keep track
of some parameters associated with the authenticated user or the switch itself. These
parameters are actually kept on the ProCurve 5300xl Switch Series and updated on the RADIUS
server at either RADIUS session begin/end or just at session end.
Three areas of parameters are tracked:
•
Network Accounting – Keeps track of items for an authenticated user on a switch port such as
Account ID, Username, Input and Output Packets, Account Termination Reason, etc.
•
Exec Accounting – Keeps track of the same items used in Network Accounting, but for logon
sessions under telnet, SSH and console.
•
System Accounting – Keeps track of the same items used in Network Accounting, with actual
recording of the items done on a system event, such as system reboot, system reset and
accounting enable or disable
The primary purpose for RADIUS accounting is to have a security audit trail for user network
usage or when switch events occur that affect the integrity of the network.
RADIUS server accounting can also be used as a rudimentary form of tracking user network
usage, but only covers very high level parameters such as total connect time, or total packets
through the user's switch port.
Standalone RADIUS Authentication
RADIUS authentication can be used without using 802.1X. In this case RADIUS is used to
provide user authentication when telnet, SSH or console port access authentication is required.
Up to three RADIUS servers can be specified to provide backup capability in case the primary
RADIUS server becomes unavailable.
(select the information library).
21