Security Overview > Precedence of security options

  

 next

Precedence of security options

This section explains how port-based security options, and client-based attributes used for authentication, get prioritized on the switch.

Precedence of port-based security options

Where the switch is running multiple security options, it implements network traffic security based on the OSI (Open Systems Interconnection model) precedence of the individual options, from the lowest to the highest. The following list shows the order in which the switch implements configured security features on traffic moving through a given port.

  1. Disabled/Enabled physical port

  2. MAC lockout (applies to all ports on the switch.)

  3. MAC lockdown

  4. Port security

  5. Authorized IP managers

  6. Application features at higher levels in the OSI model, such as SSH.

The above list does not address the mutually exclusive relationship that exists among some security features.

Precedence of client-based authentication: Dynamic Configuration Arbiter (DCA)

The Dynamic Configuration Arbiter (DCA) is implemented to determine the client-specific parameters that are assigned in an authentication session.

A client-specific authentication configuration is bound to the MAC address of a client device and may include the following parameters:

  • Untagged client VLAN ID

  • Tagged VLAN IDs

  • Per-port CoS (802.1p) priority

  • Per-port rate-limiting on inbound traffic

  • Client-based ACLs

DCA allows client-specific parameters configured in any of the following ways to be applied and removed as needed in a specified hierarchy of precedence. When multiple values for an individual configuration parameter exist, the value applied to a client session is determined in the following order (from highest to lowest priority) in which a value configured with a higher priority overrides a value configured with a lower priority:

  1. Attribute profiles applied through the Network Immunity network-management application using SNMP, see HP E-Network Immunity manager (NIM)

  2. 802.1X authentication parameters (RADIUS-assigned)

  3. Web- or MAC-authentication parameters (RADIUS-assigned)

  4. Local, statically-configured parameters

Although RADIUS-assigned settings are never applied to ports for non-authenticated clients, the DCA allows configuring and assigning client-specific port configurations to non-authenticated clients, provided that a client's MAC address is known in the switch in the forwarding database. DCA arbitrates the assignment of attributes on both authenticated and non-authenticated ports.

DCA does not support the arbitration and assignment of client-specific attributes on trunk ports.

HP E-Network Immunity manager (NIM)

HP E-Network Immunity manager (NIM) is a plug-in to HP PCM+ and a key component of the HP E-Network Immunity security solution that provides comprehensive detection and per-port-response to malicious traffic at the HP network edge. NIM allows you to apply policy-based actions to minimize the negative impact of a client's behavior on the network. For example, using NIM you can apply a client-specific profile that adds or modifies per-port rate-limiting and VLAN ID assignments.
[NOTE: ]

NOTE: NIM actions only support the configuration of per-port rate-limiting and VLAN ID assignment; NIM does not support CoS (802.1p) priority assignment and ACL configuration.

NIM-applied parameters temporarily override RADIUS-configured and locally configured parameters in an authentication session. When the NIM-applied action is removed, the previously applied client-specific parameter (locally configured or RADIUS-assigned) is re-applied unless there have been other configuration changes to the parameter. In this way, NIM allows you to minimize network problems without manual intervention.

NIM also allows you to configure and apply client-specific profiles on ports that are not configured to authenticate clients (unauthorized clients), provided that a client's MAC address is known in the switch forwarding database.

The profile of attributes applied for each client (MAC address) session is stored in the hpicfUsrProfile MIB, which serves as the configuration interface for NIM. A client profile consists of NIM-configured, RADIUS-assigned, and statically configured parameters. Using show commands for 802.1X, web or MAC authentication, you can verify which RADIUS-assigned and statically configured parameters are supported and if they are supported on a per-port or per-client basis.

A NIM policy accesses the hpicfUsrProfileMIB through SNMP to perform the following actions:

  • Bind (or unbind) a profile of configured attributes to the MAC address of a client device on an authenticated or unauthenticated port.

  • Configure or unconfigure an untagged VLAN for use in an authenticated or unauthenticated client session.
[NOTE: ]

NOTE: The attribute profile assigned to a client is often a combination of NIM-configured, RADIUS-assigned, and statically configured settings. Precedence is always given to the temporarily applied NIM-configured parameters over RADIUS-assigned and locally configured parameters.

For information on NIM, go to the HP Networking Web site at www.hp.com/solutions.

Arbitrating client-specific attributes

In previous releases, client-specific authentication parameters for 802.1X Web, and MAC authentication are assigned to a port using different criteria. A RADIUS-assigned parameter is always given highest priority and overrides statically configured local passwords. 802.1X authentication parameters override Web or MAC authentication parameters.

DCA stores three levels of client-specific authentication parameters and prioritizes them according to the following hierarchy of precedence:

  1. NIM access policy (applied through SNMP)

  2. RADIUS-assigned

    1. 802.1X authentication

    2. Web or MAC authentication

  3. Statically (local) configured

Client-specific configurations are applied on a per-parameter basis on a port. In a client-specific profile, if DCA detects that a parameter has configured values from two or more levels in the hierarchy of precedence described above, DCA decides which parameters to add or remove, or whether to fail the authentication attempt due to an inability to apply the parameters.

For example, NIM may configure only rate-limiting for a specified client session, while RADIUS-assigned values may include both an untagged VLAN ID and a rate-limiting value to be applied. In this case, DCA applies the NIM-configured rate-limiting value and the RADIUS-assigned VLAN (if there are no other conflicts).

Also, you can assign NIM-configured parameters (for example, VLAN ID assignment or rate-limiting) to be activated in a client session when a threat to network security is detected. When the NIM-configured parameters are later removed, the parameter values in the client session return to the RADIUS-configured or locally configured settings, depending on which are next in the hierarchy of precedence.

In addition, DCA supports conflict resolution for QoS (port-based CoS priority) and rate-limiting (ingress) by determining whether to configure either strict or non-strict resolution on a switch-wide basis. For example, if multiple clients authenticate on a port and a rate-limiting assignment by a newly authenticating client conflicts with the rate-limiting values assigned to previous clients, by using Network Immunity you can configure the switch to apply any of the following attributes:

  • Apply only the latest rate-limiting value assigned to all clients.

  • Apply a client-specific rate-limiting configuration to the appropriate client session (overwrites any rate-limit previously configured for other client sessions on the port).

For information about how to configure RADIUS-assigned and locally configured authentication settings, see:

prev

 

up

 next

Getting started with access security 

home

 HP PCM+ Identity-Driven manager (IDM)

Copyright © 2015 Hewlett-Packard Development Company, L.P.