Configuring switch ports as 802.1X authenticators

Enable 802.1X authentication on selected ports

This task configures the individual ports you want to operate as 802.1X authenticators for point-to-point links to 802.1X-aware clients or switches, and consists of two steps:

  1. Enable the selected ports as authenticators.

  2. Specify either user-based or port-based 802.1X authentication.

(Actual 802.1X operation does not commence until you activate 802.1X authentication on the switch.)


[NOTE: ]

NOTE: If you enable 802.1X authentication on a port, the switch automatically disables LACP on that port. However, if the port is already operating in an LACP trunk, you must remove the port from the trunk before you can configure it for 802.1X authentication.


Enable the selected ports as authenticators and enable the (default) port-based authentication

Syntax:

[no] aaa port-access authenticator <port-list>

Enables specified ports to operate as 802.1X authenticators and enables port-based authentication. (To enable user-based authentication, execute this command first, and then execute the client-limit <port-list> version of this command described in the next section.) The no form of the command removes 802.1X authentication from <port-list>. To activate configured 802.1X operation, you must enable 802.1X authentication. See Enable 802.1X authentication on the switch.

Specify user-based authentication or return to port-based authentication

User-based 802.1X authentication:

Syntax:

aaa port-access authenticator <port-list> client-limit <1-32>

Used after executing aaa port-access authenticator <port-list> to convert authentication from port-based to user-based. Specifies user-based 802.1X authentication and the maximum number of 802.1X-authenticated client sessions allowed on each of the ports in <port-list>. If a port currently has no authenticated client sessions, the next authenticated client session the port accepts determines the untagged VLAN membership to which the port is assigned during the session. If another client session begins later on the same port while an earlier session is active, the later session will be on the same untagged VLAN membership as the earlier session.


[NOTE: ]

NOTE: The client limit is 256 clients per-port for MAC-auth and Web-auth; the client limit for 802.1X is 32 clients per port. The MAC-auth and Web-auth limit of 256 clients only applies when there are fewer than 16,384 authentication clients on the entire switch. After the limit of 16, 384 clients is reached, no additional authentication clients are allowed on any port for any method.


Port-based 802.1X authentication:

Syntax:

[no]aaa port-access authenticator <port-list> client-limit

Used to convert a port from user-based authentication to port-based authentication, which is the default setting for ports on which authentication is enabled. (Executing aaa port-access authenticator <port-list> enables 802.1X authentication on <port-list> and enables port-based authentication.) If a port currently has no authenticated client sessions, the next authenticated client session the port accepts determines the untagged VLAN membership to which the port is assigned during the session. If another authenticated client session begins later on the same port while an earlier session is active, the later session replaces the currently active session and will be on the untagged VLAN membership specified by the RADIUS server for the later session.

Configuring user-based 802.1X authentication enables ports 10-12 to operate as authenticators, and then configures the ports for user-based authentication.

Configuring user-based 802.1X authentication

HP Switch(config)# aaa port-access authenticator 10-12
HP Switch(config)# aaa port-access authenticator 10-12 client-limit 4

Configuring port-based 802.1X authentication enables ports 13-15 to operate as authenticators, and then configures the ports for port-based authentication.

Configuring port-based 802.1X authentication

HP Switch(config)# aaa port-access authenticator 13-15
HP Switch(config)# no aaa port-access authenticator 13-15 client-limit

Reconfigure settings for port-access

The commands in this section are initially set by default and can be reconfigured as needed.

Syntax:

aaa port-access authenticator <port-list>

[control <authorized|auto|unauthorized>]

Controls authentication mode on the specified port:

authorized

Also termed “Force Authorized”. Gives access to a device connected to the port. In this case, the device does not have to provide 802.1X credentials or support 802.1X authentication. (You can still configure console, Telnet, or SSH security on the port.)

auto (the default)

The device connected to the port must support 802.1X authentication and provide valid credentials to get network access. (Optional: You can use the Open VLAN mode to provide a path for clients without 802.1X supplicant software to down-load this software and begin the authentication process. See 802.1X Open VLAN mode.)

unauthorized

Also termed “Force Unauthorized”. Do not grant access to the network, regardless of whether the device provides the correct credentials and has 802.1X support. In this state, the port blocks access to any connected device.

[quiet-period <0-65535>]

Sets the period during which the port does not try to acquire a supplicant. The period begins after the last attempt authorized by the max-requests parameter fails. (Default: 60 seconds)

[tx-period <0-65535>]

Sets the period the port waits to retransmit the next EAPOL PDU during an authentication session. (Default: 30 seconds)

[supplicant-timeout <1-300>]

Sets the period of time the switch waits for a supplicant response to an EAP request. If the supplicant does not respond within the configured time frame, the session times out. (Default: 30 seconds)

[server-timeout <1-300>]

Sets the period of time the switch waits for a server response to an authentication request. If there is no response within the configured time frame, the switch assumes that the authentication attempt has timed out. Depending on the current max-requests setting, the switch will either send a new request to the server or end the authentication session. (Default: 30 seconds)

[max-requests <1-10>]

Sets the number of authentication attempts that must time-out before authentication fails and the authentication session ends. If you are using the Local authentication option, or are using RADIUS authentication with only one host server, the switch will not start another session until a client tries a new access attempt. If you are using RADIUS authentication with two or three host servers, the switch will open a session with each server, in turn, until authentication occurs or there are no more servers to try. During the quiet-period, if any, you cannot reconfigure this parameter. (Default: 2)

[reauth-period <0-9999999>]

Sets the period of time after which clients connected must be re-authenticated. When the timeout is set to 0 the reauthentication is disabled (Default: 0 second)

[unauth-vid <vlan-id>]

Configures an existing static VLAN to be the Unauthorized- Client VLAN. This enables you to provide a path for clients without supplicant software to download the software and begin an authentication session. See 802.1X Open VLAN mode.

[logoff-period] <1-999999999>

Configures the period of time the switch waits for client activity before removing an inactive client from the port. (Default: 300 seconds)

[auth-vid <vid>]

Configures an existing, static VLAN to be the Authorized-Client VLAN. See 802.1X Open VLAN mode.

[unauth-period <0-255>]

Specifies a delay in seconds for placing a port on the Unauthorized-Client VLAN. This delay allows more time for a client with 802.1X supplicant capability to initiate an authentication session. If a connected client does not initiate a session before the timer expires, the port is assigned to the Unauthenticated-Client VLAN. (Default: 0 seconds)

Configure the 802.1X authentication method

This task specifies how the switch authenticates the credentials provided by a supplicant connected to a switch port configured as an 802.1X authenticator.

You can configure local, chap-radius or eap-radius as the primary password authentication method for the port-access method. You also need to select none or authorized as a secondary, or backup, method.

Syntax:

aaa authentication port-access <chap-radius|eap-radius|local>

Configures local, chap-radius or eap-radius as the primary password authentication method for port-access. The default primary authentication is local. (See the documentation for your RADIUS server application.)

For switches covered in this guide, you must use the password port-access command to configure the operator username and password for 802.1X access.

[<none|authorized>]

Provides options for secondary authentication. The none option specifies that a backup authentication method is not used. The authorized option allows access without authentication. (default: none).

To enable the switch to perform 802.1X authentication using one or more EAP-capable RADIUS servers:

802.1X (port-access) authentication

802.1X (port-access) authentication

Enter the RADIUS host IP address(es)

If you select either eap-radius or chap-radius for the authentication method, configure the switch to use 1, 2, or 3 RADIUS servers for authentication. The following syntax shows the basic commands. For coverage of all commands related to RADIUS server configuration, see RADIUS Authentication, Authorization, and Accounting.

Syntax:

radius host <ip-address> [oobm]

Adds a server to the RADIUS configuration.

The oobm option specifies that the RADIUS traffic will go through the out-of-band management (OOBM) port.

[key <server-specific key-string>]

Optional. Specifies an encryption key for use during authentication (or accounting) sessions with the specified server. This key must match the key used on the RADIUS server. Use this option only if the specified server requires a different key than configured for the global encryption key. The tilde (~) character is allowed in the string. It is not backward compatible; the “~” character is lost if you use a software version that does not support the “~” character.

Syntax:

radius-server key <global key-string>

Specifies the global encryption key the switch uses for sessions with servers for which the switch does not have a server-specific key. This key is optional if all RADIUS server addresses configured in the switch include a server-specific encryption key. The tilde (~) character is allowed in the string, for example, radius-server key hp~switch. It is not backward compatible; the “~” character is lost if you use a software version that does not support the “~” character.

Default: Null

The no form of the command removes the global encryption key.

Enable 802.1X authentication on the switch

After configuring 802.1X authentication as described in the preceding four sections, activate it with this command:

Syntax:

aaa port-access authenticator active

Activates 802.1X port-access on ports you have configured as authenticators.

Reset authenticator operation (optional)

While 802.1X authentication is operating, you can use the following aaa port-access authenticator commands to reset 802.1X authentication and statistics on specified ports.

Syntax:

aaa port-access authenticator <port-list>

[initialize]

On the specified ports, blocks inbound and outbound traffic and restarts the 802.1X authentication process. This happens only on ports configured with control auto and actively operating as 802.1X authenticators.

[reauthenticate]

On the specified ports, forces reauthentication (unless the authenticator is in “HELD” state).

[clear-statistics]

On the specified ports, clears authenticator statistics counters.

Configure 802.1X controlled direction (optional)

After you enable 802.1X authentication on specified ports, you can use the aaa port-access controlled-direction command to configure how a port transmits traffic before it successfully authenticates a client and enters the authenticated state.

As documented in the IEEE 802.1X standard, an 802.1X-aware port that is unauthenticated can control traffic in either of the following ways:

  • In both ingress and egress directions by disabling both the reception of incoming frames and transmission of outgoing frames

  • Only in the ingress direction by disabling only the reception of incoming frames.

Prerequisite:

As documented in the IEEE 802.1X standard, the disabling of incoming traffic and transmission of outgoing traffic on an 802.1X-aware egress port in an unauthenticated state (using the aaa port-access controlled-direction in command) is supported only if:

  • The port is configured as an edge port in the network using the spanning-tree edge-port command.

  • The 802.1s Multiple Spanning Tree Protocol (MSTP) or 802.1w Rapid Spanning Tree Protocol (RSTP) is enabled on the switch. MSTP and RSTP improve resource utilization while maintaining a loop-free network.

For information on how to configure the prerequisites for using the aaa port-access controlled-direction in command, see “Multiple Instance Spanning-Tree Operation” in the Advanced Traffic Management Guide.

Syntax:

aaa port-access <port-list> controlled-direction <both|in>

both (default): Incoming and outgoing traffic is blocked on an 802.1X-aware port before authentication occurs.

in: Incoming traffic is blocked on an 802.1X-aware port before authentication occurs. Outgoing traffic with unknown destination addresses is flooded on unauthenticated 802.1X-aware ports.

Wake-on-LAN Traffic

The Wake-on-LAN feature is used by network administrators to remotely power on a sleeping workstation (for example, during early morning hours to perform routine maintenance operations, such as patch management and software updates).

The aaa port-access controlled-direction in command allows Wake-on-LAN traffic to be transmitted on an 802.1X-aware egress port that has not yet transitioned to the 802.1X authenticated state; the controlled-direction both setting prevents Wake-on-LAN traffic to be transmitted on an 802.1X-aware egress port until authentication occurs.


[NOTE: ]

NOTE: Although the controlled-direction in setting allows Wake-on-LAN traffic to traverse the switch through unauthenticated 802.1X-aware egress ports, it does not guarantee that the Wake-on-LAN packets will arrive at their destination. For example, firewall rules on other network devices and VLAN rules may prevent these packets from traversing the network.


Operating notes

  • Using the aaa port-access controlled-direction in command, you can enable the transmission of Wake-on-LAN traffic on unauthenticated egress ports that are configured for any of the following port-based security features:

    • 802.1X authentication

    • MAC authentication

    • Web authentication

    Because a port can be configured for more than one type of authentication to protect the switch from unauthorized access, the last setting you configure with the aaa port-access controlled-direction command is applied to all authentication methods configured on the switch. See Web and MAC Authentication.

  • To display the currently configured 802.1X Controlled Direction value, enter the show port-access authenticator config command.

  • When an 802.1X-authenticated port is configured with the controlled-direction in setting, eavesdrop prevention is not supported on the port.

Configuring 802.1X controlled directions shows how to enable the transmission of Wake-on-LAN traffic in the egress direction on an 802.1X-aware port before it transitions to the 802.1X authenticated state and successfully authenticates a client device.

Configuring 802.1X controlled directions

HP Switch(config)# aaa port-access authenticator a10
HP Switch(config)# aaa authentication port-access eap-radius
HP Switch(config)# aaa port-access authenticator active
HP Switch(config)# aaa port-access a10 controlled-direction in

Unauthenticated VLAN access (guest VLAN access)

When a PC is connected through an IP phone to a switch port that has been authorized using 802.1X or Web/MAC authentication, the IP phone is authenticated using client-based 802.1X or Web/MAC authentication and has access to secure, tagged VLANs on the port. If the PC is unauthenticated, it needs to have access to the insecure guest VLAN (unauthenticated VLAN) that has been configured for 802.1X or Web/MAC authentication. 802.1X and Web/MAC authentication normally do not allow authenticated clients (the phone) and unauthenticated clients (the PC) on the same port.

Mixed port access mode allows 802.1X and Web/MAC authenticated and unauthenticated clients on the same port when the guest VLAN is the same as the port’s current untagged authenticated VLAN for authenticated clients, or when none of the authenticated clients are authorized on the untagged authenticated VLAN. Instead of having just one client per port, multiple clients can use the guest VLAN.

Authenticated clients always have precedence over guests (unauthenticated clients) if access to a client’s untagged VLAN requires removal of a guest VLAN from the port. If an authenticated client becomes authorized on its untagged VLAN as the result of initial authentication or because of an untagged packet from the client, then all 802.1X or Web/MAC authenticated guests are removed from the port and the port becomes an untagged member of the client’s untagged VLAN.

Characteristics of mixed port access mode

  • The port keeps tagged VLAN assignments continuously.

  • The port sends broadcast traffic from the VLANs even when there are only guests authorized on the port.

  • Guests cannot be authorized on any tagged VLANs.

  • Guests can use the same bandwidth, rate limits and QoS settings that may be assigned for authenticated clients on the port (via RADIUS attributes).

  • When no authenticated clients are authorized on the untagged authenticated VLAN, the port becomes an untagged member of the guest VLAN for as long as no untagged packets are received from any authenticated clients on the port.

  • New guest authorizations are not allowed on the port if at least one authenticated client is authorized on its untagged VLAN and the guest VLAN is not the same as the authenticated client’s untagged VLAN.


[NOTE: ]

NOTE: If you disable mixed port access mode, this does not automatically remove guests that have already been authorized on a port where an authenticated client exists. New guests are not allowed after the change, but the existing authorized guests will still be authorized on the port until they are removed by a new authentication, an untagged authorization, a port state change, and so on.


Configuring mixed port access mode

Syntax:

[no] aaa port-access <port-list> mixed

Enables or disables guests on ports with authenticated clients.

Default: Disabled; guests do not have access

Configuring mixed port access mode

HP Switch(config)# aaa port-access 6 mixed