Prerequisites for web-based or MAC authentication

Before you configure web-based/MAC authentication, follow these guidelines.

  1. Configure a local user name and password on the switch for both the operator (login) and manager (enable) access levels. Hewlett Packard Enterprise recommends that you use a local user name and password pair to protect the switch configuration from unauthorized access.
  2. Determine the switch ports that you want to configure as authenticators. Before you configure web-based or MAC authentication on a port operating in an LACP trunk, you must remove the port from the trunk.
  3. To display the current configuration of 802.1X, web-based, and MAC authentication on all switch ports, enter the show port-access config command, as shown in the following example.
    # show port-access config
    Port Access Status Summary
    Port-access authenticator activated [No] : No
    Allow RADIUS-assigned dynamic (GVRP) VLANs [No] : No
           802.1X 802.1X Web  Mac  LMA   Ctrl Mixed  Speed      
      Port Supp   Auth   Auth Auth Auth  Dir   Mode  VSA   MBV
    --- ------ ------ ---- ---- ----  ----- ----- ----- --------
      C1   No     Yes    No   No   No    In    No    Yes   Yes
      C2   No     Yes    No   No   No    Both  Yes   Yes   Yes
      C3   No     Yes    No   No   No    Both  No    No    Yes
      C4   No     Yes    No   No   Yes   Both  No    Yes   Yes
  4. Determine whether any VLAN assignments are needed for authenticated clients.
    1. If you configure the RADIUS server to assign a VLAN for an authenticated client, this assignment overrides any VLAN assignments configured on the switch while the authenticated client session remains active. The VLAN must be statically configured on the switch.
    2. If there is no RADIUS-assigned VLAN, the port can join an “Authorized VLAN” for the duration of the client session. This must be a port-based, statically configured VLAN on the switch.
    3. If there is neither a RADIUS-assigned VLAN or an “authorized VLAN” for an authenticated client session on a port, the port’s VLAN membership remains unchanged during authenticated client sessions. Configure the port for the VLAN in which you want it to operate during client sessions.

    When configuring a RADIUS server to assign a VLAN, you can use either the VLAN’s name or VID. For example, if a VLAN configured in the switch has a VID of 100 and is named vlan100, you could configure the RADIUS server to use either “100” or “vlan100” to specify the VLAN.

  5. For clients that the RADIUS server does not authenticate, determine whether to use the optional “unauthorized VLAN” mode. This VLAN must be statically configured on the switch. If you do not configure an “unauthorized VLAN”, the switch simply blocks access to unauthenticated clients trying to use the port.
  6. Determine the authentication policy you want on the RADIUS server and configure the server. Based on your switches RADIUS application information, include the following in the policy for each client or client device:
    • The CHAP-RADIUS authentication method.

    • An encryption key.

    • One of the following:
      • Include the user name and password for each authorized client if you are configuring web-based authentication.

      • Enter the device MAC address in both the user name and password fields of the RADIUS policy configuration for that device if you are configuring MAC authentication. To allow a particular device to receive authentication only through a designated port and switch, include this in your policy.

  7. Determine the IP address of the RADIUS servers you choose to support web-based or MAC authentication.