This feature allows a common port policy to be configured on all access ports by creating new RADIUS HP VSAs that will dynamically override the authentication limits. The changes are always applied to the port on the authenticator switch associated with the supplicant being authenticated.
|
|
|
![[NOTE: ]](images/note.gif) |
NOTE: All the changes requested by the VSAs must be valid for the switch configuration. For example, if either MAC-based or Web-based port access is configured while 802.1X port access is in client mode, a RADIUS client with a VSA to change the 802.1X port access to port-based mode is not allowed. 802.1X in port-based mode is not allowed with MAC-based or web-based port access types. However, if the authenticating client has VSAs to disable MAC-based and Web-based authentication in conjunction with changing 802.1X to portbased mode, then client authentication is allowed. |
|
|
Only RADIUS-authenticated port-access clients will be able to dynamically change the port access settings using the new proprietary RADIUS VSAs. The settings that can be overridden are:
-
Client limit (address limit with mac-based port access)
-
Disabling the port-access types
-
Setting the port mode in which 802.1X is operating
If the VSA client limit decreases the switch configured client limit, all clients except the client that is overriding the settings is deauthenticated. Only one client session at a time can override the port-access settings on a port. When the client session is deauthenticated, the port resets itself to the configured settings. This port reset causes the deauthentication of all clients for the port-access authentication types that had their settings changed dynamically.
-
HP-Port-Client-Limit-Dot1x: This VSA temporarily alters the 802.1X authentication client limit to the value contained in the VSA. Values range from 0 to 32 clients. A zero client limit means this VSA is disabled. This is an HP proprietary VSA with a value of 10.
-
HP-Port-Client-Limit-MA: This VSA temporarily alters the MAC authentication client limit to the value contained in the VSA. Values range from 0 to 256 clients. A zero client limit means this VSA is disabled. This is an HP proprietary VSA with a value of 11.
-
HP-Port-Client-Limit-WA: This VSA temporarily alters the web-based authentication client limit to the value contained in the VSA. Values range from 0 to 256 clients. A zero client limit means this VSA is disabled. This is an HP proprietary VSA with a value of 12.
-
HP-Port-Auth-Mode-Dot1x: This VSA temporarily alters the 802.1X authentication mode to be either port-based or user-based depending on the value in the VSA. A port-based VSA is set with a value of 1; a user-based VSA is set with a value of 2. This is an HP proprietary VSA with a value of 13.
If an 802.1X port is operating in port-based mode, it is invalid to set the 802.1X client limit using the HP-Port-Client-Limit VSA.
|
|
|
|
|
NOTE: The changing of the client limits for a port using VSAs is temporary. The running configuration file is not changed and still displays the client limit and address limit settings. |
|
|
Each authentication type may have a unique value for the client limit. If the value of the VSA is zero, the authentication type corresponding to that VSA will be disabled.
Settings for these VSAs are in effect for the duration of the authenticated session of the downstream supplicant switch. If for any reason there is a loss of the session (link loss between authenticator switch and supplicant switch, or authentication failure during reauthentication), the originally configured 802.1X and MAC authentication limits are restored.
The show port-access summary command displays the dynamically changed client limit settings.
Syntax:
Displays summary configuration information for all ports, including the ports that have client limits set by RADIUS VSAs.
radius-overridden: Displays only the ports with client limits that are overridden by RADIUS attributes.
Summary configuration information showing RADIUS overridden client limits
HP Switch(config)# show port-access summary
Port Access Status Summary
Port-access authenticator activated [No] : No
Allow RADIUS-assigned dynamic (GVRP) VLANs [No] : No
Note: * indicates values dynamically overridden by RADIUS
Authenticator Web Auth MAC Auth
Port Enabled Mode Limit Enabled Limit Enabled Limit
---- + ------- ---- ----- + ------- ----- + ------- -----
1 | Yes user* 1* | Yes 1 | Yes 1
2 | Yes user 32 | Yes 32* | Yes 32
3 | Yes port 1 | No 1 | No 1
4 | No port 1 | No 1 | No* 1
To display the configuration information for just those ports that are dynamically overridden by RADIUS attributes, use the show port-access summary radius-overridden command.
Output for client-limit values that are RADIUS overridden
HP Switch(config)# show port-access summary radius-overridden
Port Access Status Summary
Port-access authenticator activated [No} : No
Allow RADIUS-assigned dynamic (GVRP) VLANs [No] : No
Note: * indicates values dynamically overridden by RADIUS
Authenticator Web Auth MAC Auth
Port Enabled Mode Limit Enabled Limit Enabled Limit
---- + ------- ---- ----- + ------- ----- + ------- -----
1 | Yes user* 1* | Yes 1 | Yes 1
2 | Yes user 32 | Yes 32* | Yes 32
4 | No port 1 | No 1 | No* 1
-
Only RADIUS authentication supports the new VSAs. Other authentication types, such as TACACS, are not supported.
-
The new VSAs are not supported in IDM and they cannot be specified in the configurations. The new VSAs must be configured manually.
-
If the RADIUS server delivers a new VSA to an authenticator switch that does not understand it, the Access-Accept message is rejected.