Setup procedure for web-based/MAC authentication
Before you configure web-based/MAC authentication, follow these guidelines:
Configure a local username and password on the switch for both the operator (login) and manager (enable) access levels. (While this is not required for a Web- or MAC-based configuration, Hewlett Packard Enterprise recommends that you use a local user name and password pair, at least until your other security measures are in place, to protect the switch configuration from unauthorized access.)
Determine the switch ports that you want to configure as authenticators. Note that before you configure web-based or MAC authentication on a port operating in an LACP trunk, you must remove the port from the trunk.
To display the current configuration of 802.1X, web-based, and MAC authentication on all switch ports, enter the
show port-access config
command.Output for the show port-access config command
HP Switch (config)# show port-access config Port-access authenticator activated [No] : No Allow RADIUS-assigned dynamic (GVRP) VLANs [No] : No Supplicant Authenticator Web-Auth Mac-Auth LMA-Auth Ctrl Mixed Speed Port Enabled Enabled Enabled Enabled Enabled Dir Mode VSA MBV ---- --------- ------------ -------- -------- -------- ----- ---- ---- --- C1 No Yes No No No In No Yes Yes C2 No Yes No No No Both Yes Yes Yes C3 No Yes No No No Both No No Yes C4 No Yes No No Yes Both No Yes Yes ...
Determine whether any VLAN assignments are needed for authenticated clients.
If you configure the RADIUS server to assign a VLAN for an authenticated client, this assignment overrides any VLAN assignments configured on the switch while the authenticated client session remains active. The VLAN must be statically configured on the switch.
If there is no RADIUS-assigned VLAN, the port can join an “Authorized VLAN” for the duration of the client session. This must be a port-based, statically configured VLAN on the switch.
If there is neither a RADIUS-assigned VLAN or an “authorized VLAN” for an authenticated client session on a port, the port’s VLAN membership remains unchanged during authenticated client sessions. Configure the port for the VLAN in which you want it to operate during client sessions.
NOTE: When configuring a RADIUS server to assign a VLAN, you can use either the VLAN’s name or VID. For example, if a VLAN configured in the switch has a VID of 100 and is named vlan100, you could configure the RADIUS server to use either “100” or “vlan100” to specify the VLAN.
For clients that the RADIUS server does not authenticate, determine whether to use the optional “unauthorized VLAN” mode. This VLAN must be statically configured on the switch. If you do not configure an “unauthorized VLAN”, the switch simply blocks access to unauthenticated clients trying to use the port.
Determine the authentication policy you want on the RADIUS server and configure the server. Based on your switches RADIUS application information, include the following in the policy for each client or client device:
The CHAP-RADIUS authentication method
An encryption key
One of the following:
Include the user name and password for each authorized client if you are configuring web-based authentication.
Enter the device MAC address in both the username and password fields of the RADIUS policy configuration for that device if you are configuring MAC authentication. To allow a particular device to receive authentication only through a designated port and switch, include this in your policy.
Determine the IP address of the RADIUS server(s) you choose to support web-based or MAC authentication.
Configuring the RADIUS server to support MAC authentication
On the RADIUS server, configure the client device authentication in the same way that you would any other client, except:
Configure the client device’s (hexadecimal) MAC address as both username and password. Be careful to configure the switch to use the same format that the RADIUS server uses. Otherwise, the server will deny access. The switch provides four format options:
aabbccddeeff (the default format)
aabbcc-ddeeff
aa-bb-cc-dd-ee-ff
aa:bb:cc:dd:ee:ff
AABBCCDDEEFF
AABBCC-DDEEFF
AA-BB-CC-DD-EE-FF
AA:BB:CC:DD:EE:FF
If the device is a switch or other VLAN capable device, use the base MAC address assigned to the device, and not the MAC address assigned to the VLAN through which the device communicates with the authenticator switch. The switch applies a single MAC address to all VLANs configured in the switch. Thus, for a given switch, the MAC address is the same for all VLANs configured on the switch. (See “Static Virtual LANs (VLANs)” in the advanced traffic management guide for your switch.)
Configuring the switch to access a RADIUS server
Configuring a RADIUS server to support web-based authentication and MAC Authentication require the following minimal commands:
(See RADIUS Authentication, Authorization, and Accounting for information on other RADIUS command options.)
Syntax:
[no] radius-server
[host <
ip-addresss
>]
[host <
ip-addresss
>][oobm]Adds a server to the RADIUS configuration or, when [
no
] is used, deletes a server from the configuration. You can configure up to three RADIUS server addresses. The switch uses the first server it successfully accesses. (See RADIUS Authentication, Authorization, and Accounting).The
oobm
option specifies that the RADIUS traffic will go through the out-of-band management (OOBM) port.
[key <
global-key-string
>]Specifies the global encryption key the switch uses with servers for which the switch does not have a server specific key assignment (below). This key is optional if all RADIUS server addresses configured in the switch include a server-specific encryption key. The tilde (~) character is allowed in the string, for example, radius server key hp~switch. It is not backward compatible; the “~” character is lost if you use a software version that does not support the “~” character.
(Default: Null.)
Syntax:
radius-server host <
ip-address
> key <server-specific key-string
>
[no]radius-server host <
ip-address
> keyOptional.
Specifies an encryption key for use during authentication (or accounting) sessions with the specified server. This key must match the encryption key used on the RADIUS server. Use this command only if the specified server requires a different encryption key than configured for the global encryption key, above. The tilde (~) character is allowed in the string. It is not backward compatible; the “~” character is lost if you use a software version that does not support the “~” character.
The
[no]
form of the command removes the key configured for a specific server.
For example, to configure the switch to access a RADIUS server at IP address 192.168.32.11 using a server specific shared secret key of ‘1A7rd’:
Configure the switch to access a RADIUS server
HP Switch(config)# radius-server host 192.168.32.11 HP Switch(config)# radius-server host 192.168.32.11 key 1A7rd HP Switch(config)# show radius Status and Counters - General RADIUS Information Deadtime(min) : 0 Timeout(secs) : 5 Retransmit Attempts : 3 Global Encryption Key : Dynamic Authorization UDP Port : Auth Acct DM/ Time Server IP Addr Port Port CoA Window Encryption Key --------------- ---- ---- --- ------ --------------------- 192.168.32.11 1812 1813 1A7rd
Radius service tracking
Radius service tracking locates the availability of the RADIUS service configured on the switch. It helps to minimize the waiting period for new clients in the unauth-vid (Guest Vlan) when authentication fails because of service is not available, as well as previously authenticated clients in unauth-vid (Guest Vlan) when re-authentication fails because service is not available during the re-authentication period.
Note that this feature is disabled by default.
radius-server tracking
Syntax
[no] radius-server tracking <enable|disable>
Description
This command is used to enable or disable the tracking of the RADIUS server’s availability.
Options
tracking
Tracks the availability of the RADIUS servers.
enable
Enables the RADIUS service tracking.
disable
Disables the RADIUS service tracking.
Example output
To display the status of the RADIUS service tracking
feature, use the show radius
command. Note that
tracking is enabled in the example below.
HP-Switch# show radius Status and Counters - General RADIUS Information Deadtime(min) : 0 Timeout(secs) : 5 Retransmit Attempts : 3 Global Encryption Key : Dynamic Authorization UDP Port : 3799 Source IP Selection : Outgoing Interface Tracking : Enabled Auth Acct DM/ Time | Server IP Addr Port Port CoA Window | Encryption Key OOBM --------------- ---- ---- --- ------ + -------------------------------- ----
radius-server tracking user-name
Syntax
[no] radius-server tracking user-name
<USER-NAME>
Description
Configures the dummy user-name used to track
the availability of the RADIUS servers. By default, the radius-tracking-user
user
name is used.
Options
tracking
Tracks the availability of the RADIUS servers.
user-name
Sets the username that will be used to track the RADIUS servers.
Specifiers
<USER-NAME>
Enter the username.