Web and MAC Authentication > Configuring web-based authentication

  

 next

Configuring web-based authentication

Overview

  1. If you have not already done so, configure a local username and password pair on the switch.

  2. Identify or create a redirect URL for use by authenticated clients. HP recommends that you provide a redirect URL when using web authentication. If a redirect URL is not specified, web browser behavior following authentication can not be acceptable.

  3. If you plan to use multiple VLANs with web authentication, ensure that these VLANs are configured on the switch and that the appropriate port assignments have been made. Confirm that the VLAN used by authorized clients can access the redirect URL.

  4. Ping the switch console interface to ensure that the switch can communicate with the RADIUS server you have configured to support web-based authentication on the switch.

  5. Configure the switch with the correct IP address and encryption key to access the RADIUS server.

  6. (Optional) To use SSL encryption for web-based authentication login, configure and enable SSL on the switch.

  7. Enable web-based authentication on the switch ports you want to use.

  8. Configure the optional settings that you want to use for web-based authentication; for example:

    • To avoid address conflicts in a secure network, configure the base IP address and mask to be used by the switch for temporary DHCP addresses. You can also set the lease length for these temporary IP addresses.

    • To use SSL encryption for web-based authentication login, configure the SSL option.

    • To redirect authorized clients to a specified URL, configure the Redirect URL option.

  9. Configure how web-based authenticator ports transmit traffic before they successfully authenticate a client and enter the authenticated state:

    • You can block incoming and outgoing traffic on a port before authentication occurs.

    • You can block only incoming traffic on a port before authentication occurs. Outgoing traffic with unknown destination addresses is flooded on unauthenticated ports configured for web-based authentication. For example, Wake-on-LAN traffic is transmitted on a web-based Authenticated egress port that has not yet transitioned to the authenticated state.

  10. Test both authorized and unauthorized access to your system to ensure that web authentication works properly on the ports you have configured for port-access using web authentication.
[NOTE: ]

NOTE: Client web browsers can not use a proxy server to access the network.

Configuration commands for web-based authentication

Controlled directions

Syntax:

aaa port-access <port-list> [controlled-directions <both|in> mixed-mode|port-speed-vsa|mbv <enable|disable>]

After you enable web-based-based authentication on specified ports, you can use the aaa port-access controlled-directions command to configure how a port transmits traffic before it successfully authenticates a client and enters the authenticated state.

both: (Default) Incoming and outgoing traffic is blocked on a port configured for web-based authentication before authentication occurs.

in: Incoming traffic is blocked on a port configured for web-based authentication before authentication occurs. Outgoing traffic with unknown destination addresses is flooded on unauthenticated ports configured for web-based authentication.

mixed-mode: Set if unauthenticated and authenticated users are allowed on the same port.

port-speed-vsa: Determines if the port speed HP VSA is allowed and used on a port.

mbv <enable|disable>: Allows configuration of MBV (MAC-based VLANs) on a port. MBV allows multiple clients on different untagged VLANs to authenticate on the same port.

Prerequisites:

As implemented in 802.1X authentication, the disabling of incoming traffic and transmission of outgoing traffic on a web-based Authenticated egress port in an unauthenticated state (using the aaa port-access controlled-direction in command) is supported only if the 802.1s Multiple Spanning Tree Protocol (MSTP) or 802.1w Rapid Spanning Tree Protocol (RSTP) is enabled on the switch. MSTP and RSTP improve resource utilization while maintaining a loop-free network.

The port is configured as an edge port in the network using the spanning-tree edge-port command.

Notes:

  • For information on how to configure the prerequisites for using the aaa port-access controlled-direction in command, see “Multiple instance spanning-tree operation” in the Advanced Traffic Management Guide for your switch.

  • To display the currently configured controlled direction value for web-based authenticated ports, enter the show port-access web-based config command.

  • The aaa port-access controlled-direction in command allows Wake-on-LAN traffic to be transmitted on a web-based authenticated egress port that has not yet transitioned to the authenticated state; the controlled-direction both setting prevents Wake-on-LAN traffic to be transmitted on a web-based authenticated egress port until authentication occurs.

    The Wake-on-LAN feature is used by network administrators to remotely power on a sleeping workstation (for example, during early morning hours to perform routine maintenance operations, such as patch management and software updates).

  • Using the aaa port-access controlled-direction in command, you can enable the transmission of Wake-on-LAN traffic on unauthenticated egress ports that are configured for any of the following port-based security features:

    • 802.1X authentication

    • MAC authentication

    • Web-based authentication

    Because a port can be configured for more than one type of authentication to protect the switch from unauthorized access, the last setting you configure with the aaa port-access controlled-direction command is applied to all authentication methods configured on the switch.

    For information about how to configure and use 802.1X authentication, see Configuring Port and User-Based Access Control (802.1X).

  • When a web-based authenticated port is configured with the controlled-direction in setting, eavesdrop prevention is not supported on the port.

Disable web-based authentication

Syntax:

[no] aaa port-access web-based <port-list>

Enables web-based authentication on the specified ports. Use the no form of the command to disable web-based authentication on the specified ports.

Specifying the VLAN

Syntax:

aaa port-access web-based <port-list> [auth-vid <vid>]

[no] aaa port-access web-based <port-list> [auth-vid <vid>]

Specifies the VLAN to use for an authorized client. The Radius server can override the value (accept-response includes a vid). If auth-vid is 0, no VLAN changes occur unless the RADIUS server supplies one.

Use the [no] form of the command to set the auth-vid to 0. (Default: 0)

Maximum authenticated clients

Syntax:

aaa port-access web-based <port-list> [client-limit <1-256>]

Specifies the maximum number of authenticated clients to allow on the port. (Default: 1)
[NOTE: ]

NOTE: On switches where Web-based authentication and 802.1X can operate concurrently, this limit includes the total number of clients authenticated through both methods. The limit of 256 clients only applies when there are fewer than 16,384 authentication clients on the entire switch. After the limit of 16,384 clients is reached, no additional authentication clients are allowed on any port for any method.

Specifies base address

Syntax:

aaa port-access web-based [dhcp-addr <ip-address/mask>]

Specifies the base address/mask for the temporary IP pool used by DHCP. The base address can be any valid IP address (not a multicast address). Valid mask range value is <255.255.240.0 - 255.255.255.0>. (Default: 192.168.0.0/255.255.255.0)

Specifies lease length

Syntax:

aaa port-access web-based [dhcp-lease <5-25>]

Specifies the lease length, in seconds, of the temporary IP address issued for Web-Auth login purposes. (Default: 10 seconds)

Specifying the period

Syntax:

aaa port-access web-based <port-list> [logoff-period]<60-9999999>]

Specifies the period, in seconds, that the switch enforces for an implicit logoff. This parameter is equivalent to the MAC age interval in a traditional switch sense. If the switch does not see activity after a logoff-period interval, the client is returned to its pre-authentication state. (Default: 300 seconds)

Specifying the number of authentication attempts

Syntax:

aaa port-access web-based <port-list> [max-requests] <1-10>]

Specifies the number of authentication attempts that must time-out before authentication fails. (Default: 2)

Specifying maximum retries

Syntax:

aaa port-access web-based <port-list> [max-retries] <1-10>]

Specifies the number of the number of times a client can enter their user name and password before authentication fails. This allows the reentry of the user name and password if necessary. (Default: 3)

Specifying the time period

Syntax:

aaa port-access web-based <port-list> [quiet-period] <1-65535>]

Specifies the time period (in seconds) the switch uses before sending an authentication request for a client that failed authentication. (Default: 60 seconds)

Specifying the re-authentication period

Syntax:

aaa port-access web-based <port-list> [reauth-period] <0-9999999>]

Specifies the time period, in seconds, the switch enforces on a client to re-authenticate. When set to 0, reauthentication is disabled. (Default: 300 seconds)

Specifying a forced reauthentication

Syntax:

aaa port-access web-based <port-list> [reauthenticate]

Forces a re-authentication of all attached clients on the port.

Specifying the URL

Syntax:

aaa port-access web-based <port-list> [redirect-url <url>]

[no] aaa port-access web-based <port-list> [redirect-url]

Specifies the URL that a user is redirected to after a successful login. Any valid, fully-formed URL can be used, for example, http://welcome-server/welcome.htm or http://192.22.17.5. HP recommends that you provide a redirect URL when using web authentication.
[NOTE: ]

NOTE: The redirect-url command accepts only the first 103 characters of the allowed 127 characters.

Use the [no] form of the command to remove a specified redirect URL.

(Default: There is no default URL. Browser behavior for authenticated clients can not be acceptable.)

Specifying the timeout

Syntax:

aaa port-access web-based[e]<port-list> [server-timeout <1-300>]

Specifies the period, in seconds, the switch waits for a server response to an authentication request. Depending on the current max-requests value, the switch sends a new attempt or ends the authentication session. (Default: 30 seconds)

Show commands for web-based authentication

Syntax:

show port-access web-based [ port-list ]

Displays the status of all ports or specified ports that are enabled for web-based authentication. The information displayed for each port includes:

  • Number of authorized and unauthorized clients.

  • VLAN ID number of the untagged VLAN used. If the switch supports MAC (untagged) VLANs, MACbased is displayed to show that multiple untagged VLANs are configured for authentication sessions.

  • If tagged VLANs (statically configured or RADIUS-assigned) are used (Yes or No.)

  • If client-specific per-port CoS (Class of Service) values are configured (Yes or No) or the numerical value of the CoS (802.1p priority) applied to all inbound traffic. For client-specific per-port CoS values, enter the show port-access web-based clients detailed command.

  • If per-port rate-limiting for inbound traffic is applied (Yes or No) or the percentage value of the port's available bandwidth applied as a rate-limit value.

  • If RADIUS-assigned ACLs are applied.

Information on ports not enabled for web authentication is not displayed.

Output for the show port-access web-based command

Switch (config)# show port-access web-based

 Port Access Web-Based Status

      Auth     Unauth   Untagged Tagged Port     % In   RADIUS
Port  Clients  Clients  VLAN     VLANs  COS      Limit  ACL
----- -------- -------- -------- ------ -------- ------ ------
1     1        1        4006     Yes    70000000 100    Yes
2     2        0        MACbased No     Yes      Yes    Yes
3     4        0        1        Yes    No       No     No

Syntax:

show port-access web-based clients [ port-list ]

Displays the session status, name, and address for each web-authenticated client on the switch. The IP address displayed is taken from the DHCP binding table (learned through the DHCP Snooping feature).

If DHCP snooping is not enabled on the switch, n/a (not available) is displayed for a client’s IP address.

If a web-authenticated client uses an IPv6 address, n/a - IPv6 is displayed.

If DHCP snooping is enabled but no MAC-to-IP address binding for a client is found in the DHCP binding table, n/a - no info is displayed.

Output for the show port-access web-based authentication clients command

HP Switch (config)# show port-access web-based clients

 Port Access Web-Based Client Status

Port  Client Name  MAC Address   IP Address      Session Status
----- ------------ ------------- --------------- -------------
1     webuser1     0010b5-891a9e 192.192.192.192 Authenticated
1     webuser2     001560-b3ea48 n/a - no info   Authenticating
1     webuser3     000000-111111 n/a - IPv6      Authenticating
3     webuser4     000000-111112 n/a             Authenticating

Syntax:

show port-access web-based clients <port-list> detailed

Displays detailed information on the status of web-based authenticated client sessions on specified switch ports.

For HP Switch 2620, 2910al, and 2920-series:

This syntax shows session status, name, and address for each web-based authenticated client on the switch. The IP address displayed is taken from the DHCP binding table, learned through DHCP snooping.The following can appear if the client's IP address is not available:

n/a — DHCP snooping is not enabled on the switch; n/a is displayed for a client's IP address.

n/a-IPv6 — a web-based authenticated client uses an IPv6 address.

n/a-no info — DHCP snooping is enabled but no MAC-to-IP address binding for a client is found in the DHCP binding table.

Output for the show port-access web-based clients detailed command

HP Switch (config)# show port-access web-based clients 1 detailed

 Port Access Web-Based Client Status Detailed

  Client Base Details :
   Port           : 1
   Session Status : authenticated  Session Time(sec) : 6
   Username       : webuser1       MAC Address       : 0010b5-891a9e
   IP             : n/a

 Access Policy Details :
  COS Map        : 11111111        In Limit %        : 98
  Untagged VLAN  : 4006            Out Limit %       : 100
  Tagged VLANs   : 1, 3, 5, 6, 334, 2566
  RADIUS-ACL List :
    deny in udp from any to 10.2.8.233 CNT
       Hit Count: 0
    permit in udp from any to 10.2.8.233 CNT
       Hit Count: 0
    deny in tcp from any to 10.2.8.233 CNT
       Hit Count: 0
    permit in tcp from any to 10.2.8.233 CNT
       Hit Count: 0
    permit in tcp from any to 0.0.0.0/0 CNT
       Hit Count: 0

Syntax:

show port-access web-based config [ port-list ]

Displays the currently configured web-based authentication settings for all switch ports or specified ports, including:

  • Temporary DHCP base address and mask.

  • Support for RADIUS-assigned dynamic VLANs (Yes or No).

  • Controlled direction setting for transmitting Wake-on-LAN traffic on egress ports.

  • Authorized and unauthorized VLAN IDs.

If the authorized or unauthorized VLAN ID value is 0, the default VLAN ID is used unless overridden by a RADIUS-assigned value.

Output for the show port-access web-based config command

HP Switch (config)# show port-access web-based config

Port Access Web-Based Configuration

 DHCP Base Address : 192.168.0.0
 DHCP Subnet Mask  : 255.255.255.0
 DHCP Lease Length : 10
 Allow RADIUS-assigned dynamic (GVRP) VLANs [No] : No
 Access Denied Message  : System Default

               Client Client Logoff  Re-Auth Unauth   Auth     Cntrl
Port  Enabled  Limit  Moves  Period  Period  VLAN ID  VLAN ID  Dir
----- -------- ------ ------ ------- ------- -------- -------- -----
1     Yes      1      No     300     0       0        0        both
2     Yes      1      No     300     0       0        0        in

Syntax:

show port-access web-based config <port-list> detailed

Displays more detailed information on the currently configured web-based authentication settings for specified ports.

Output for the show port-access web-based config detail command

Switch (config)# show port-access web-based config 1 detailed

 Port Access Web-Based Detailed Configuration

  Port           : 1        Web-based enabled : Yes
  Client Limit   : 1        Client Moves      : No
  Logoff Period  : 300      Re-Auth Period    : 0
  
  Unauth VLAN ID : 0        Auth VLAN ID      : 0
  
  Max Requests   : 3        Quiet Period      : 60
  Server Timeout : 30
  
  Max Retries    : 3        SSL Enabled       : No
  Redirect URL :

Syntax:

show port-access web-based config [port-list] auth-server

Displays the currently configured web authentication settings for all switch ports or specified ports and includes RADIUS server-specific settings, such as:

  • Timeout waiting period.

  • Number of timeouts supported before authentication login fails.

  • Length of time (quiet period) supported between authentication login attempts.

Output for the show port-access web-based config auth-server command

Switch (config)# show port-access web-based config auth-server

Port Access Web-Based Configuration

                Client Client Logoff  Re-Auth  Max  Quiet   Server
 Port  Enabled  Limit  Moves  Period  Period   Req  Period  Timeout
 ----- -------- ------ ------ ------- -------- ---- ------- --------
 1     Yes      1      No     300     0        3    60      30
 2     No       1      No     300     0        3    60      30
 ...

Syntax:

show port-access web-based config [port-list] web-server

Displays the currently configured Web Authentication settings for all ports or specified ports, including web-specific settings for password retries, SSL login status, and a redirect URL, if specified.

prev

 

up

 next

Setup procedure for web-based/MAC authentication 

home

 Configuring MAC authentication

Copyright © 2015 Hewlett-Packard Development Company, L.P.