HPE FlexNetwork 5510 HI Series

To Next Page

To Previous Page

Figure 30 802.1X authentication procedure in EAP termination mode

In EAP termination mode, the access device rather than the authentication server generates an MD5

challenge for password encryption. The access device then sends the MD5 challenge together with

the username and encrypted password in a standard RADIUS packet to the RADIUS server.

EAPOL

RADIUS

(1) EAPOL-Start

(

) EAP

-Request

Identity

) EAP

Response /

Identity

(4) EAP-Request

MD5

challenge

(8) EAP-Success

(5) EAP-Response / MD5 challenge

(9)

EAP-Request

Identity

(10) EAP-

Response/Identity

(11) EAPOL-Logoff

...

Client Device

Authentication server

Port authorized

Port unauthorized

(6) RADIUS Access-Request

(CHAP-Response/MD5 challenge)

(7) RADIUS Access-Accept

(

CHAP-Success)

(12) EAP-Failure

Main Page

Default Chapter3
- Table of Contents3
Configuring AAA14
- Overview14
- FIPS Compliance29
- AAA Configuration Considerations and Task List30
- Configuring AAA Schemes31
- Configuring AAA Methods for ISP Domains56
- Enabling the Session-Control Feature61
- Setting the Maximum Number of Concurrent Login Users61
- Configuring a NAS-ID Profile61
- Displaying and Maintaining AAA62
- AAA Configuration Examples62
- Troubleshooting RADIUS74
- Troubleshooting HWTACACS75
- Troubleshooting LDAP75
  - LDAP Authentication Failure75
802.1X Overview77
- 802.1X Architecture77
- Controlled/Uncontrolled Port and Port Authorization Status77
- 802.1X-Related Protocols78
  - Packet Formats78
  - EAP over RADIUS79
- 802.1X Authentication Initiation80
  - 802.1X Client as the Initiator80
  - Access Device as the Initiator80
- 802.1X Authentication Procedures81
Configuring 802.1X85
- Access Control Methods85
- 802.1X VLAN Manipulation85
  - Authorization VLAN85
  - Guest VLAN87
  - Auth-Fail VLAN88
  - Critical VLAN89
  - Critical Voice VLAN91
- Using 802.1X Authentication with Other Features92
  - ACL Assignment92
  - User Profile Assignment92
  - EAD Assistant92
- Configuration Prerequisites93
- 802.1X Configuration Task List93
- Enabling 802.1X93
- Enabling EAP Relay or EAP Termination94
- Setting the Port Authorization State95
- Specifying an Access Control Method95
- Setting the Maximum Number of Concurrent 802.1X Users on a Port95
- Setting the Maximum Number of Authentication Request Attempts96
- Setting the Maximum Number of 802.1X Authentication Attempts for MAC Authenticated Users96
- Setting the 802.1X Authentication Timeout Timers96
- Configuring the Online User Handshake Feature97
  - Configuration Guidelines97
  - Configuration Procedure98
- Configuring the Authentication Trigger Feature98
  - Configuration Guidelines98
- Specifying a Mandatory Authentication Domain on a Port99
- Configuring the Quiet Timer99
- Enabling the Periodic Online User Reauthentication Feature100
- Configuring an 802.1X Guest VLAN100
  - Configuration Guidelines100
  - Configuration Prerequisites101
  - Configuration Procedure101
- Enabling 802.1X Guest VLAN Assignment Delay101
- Configuring an 802.1X Auth-Fail VLAN102
  - Configuration Guidelines102
  - Configuration Prerequisites103
  - Configuration Procedure103
- Configuring an 802.1X Critical VLAN103
  - Configuration Guidelines103
  - Configuring the 802.1X Critical VLAN on a Port104
  - Sending EAP-Success Packets to Users in the 802.1X Critical VLAN104
- Enabling the 802.1X Critical Voice VLAN104
  - Configuration Restrictions and Guidelines104
  - Configuration Prerequisites105
  - Configuration Procedure105
- Specifying Supported Domain Name Delimiters105
- Configuring the EAD Assistant Feature106
- Displaying and Maintaining 802.1X106
- 802.1X Authentication Configuration Examples107
  - Basic 802.1X Authentication Configuration Example107
  - Guest VLAN and Authorization VLAN Configuration Example109
  - 802.1X with ACL Assignment Configuration Example111
  - 802.1X with EAD Assistant Configuration Example113
- Troubleshooting 802.1X115
  - EAD Assistant for Web Browser Users115
Configuring MAC Authentication116
- Overview116
- Configuration Prerequisites119
- Configuration Task List120
- Enabling MAC Authentication120
- Specifying a MAC Authentication Domain121
- Configuring the User Account Format121
- Configuring MAC Authentication Timers121
- Setting the Maximum Number of Concurrent MAC Authentication Users on a Port122
- Enabling MAC Authentication Multi-VLAN Mode on a Port122
- Configuring MAC Authentication Delay123
- Enabling Parallel Processing of MAC Authentication and 802.1X Authentication123
  - Configuration Restrictions and Guidelines124
  - Configuration Procedure124
- Configuring a MAC Authentication Guest VLAN124
- Configuring a MAC Authentication Critical VLAN125
- Enabling the MAC Authentication Critical Voice VLAN126
  - Configuration Prerequisites126
  - Configuration Procedure127
- Configuring the Keep-Online Feature127
- Enabling MAC Authentication Offline Detection127
- Displaying and Maintaining MAC Authentication128
- MAC Authentication Configuration Examples128
Configuring Portal Authentication136
- Overview136
- Portal Configuration Task List142
- Configuration Prerequisites142
- Configuring a Portal Authentication Server143
- Configuring a Portal Web Server143
- Enabling Portal Authentication on an Interface144
  - Configuration Restrictions and Guidelines144
  - Configuration Procedure144
- Referencing a Portal Web Server for an Interface145
- Controlling Portal User Access145
- Configuring Portal Detection Features149
- Configuring the Portal Fail-Permit Feature152
- Configuring BAS-IP for Portal Packets Sent to the Portal Authentication Server153
- Applying a NAS-ID Profile to an Interface154
- Enabling Portal Roaming154
- Logging out Portal Users155
- Configuring the Local Portal Web Server Feature155
  - Customizing Authentication Pages155
  - Configuring a Local Portal Web Server157
- Displaying and Maintaining Portal158
- Portal Configuration Examples158
- Troubleshooting Portal195
Configuring Port Security198
- Overview198
  - Port Security Features198
  - Port Security Modes198
- Configuration Task List201
- Enabling Port Security201
- Setting Port Security's Limit on the Number of Secure MAC Addresses on a Port202
- Setting the Port Security Mode202
- Configuring Port Security Features203
  - Configuring NTK203
  - Configuring Intrusion Protection204
- Configuring Secure MAC Addresses204
  - Configuration Prerequisites205
  - Configuration Procedure205
- Ignoring Authorization Information from the Server206
- Enabling MAC Move206
- Applying a NAS-ID Profile to Port Security207
- Enabling the Authorization-Fail-Offline Feature207
- Enabling SNMP Notifications for Port Security208
- Displaying and Maintaining Port Security208
- Port Security Configuration Examples209
- Troubleshooting Port Security217
  - Cannot Set the Port Security Mode217
  - Cannot Configure Secure MAC Addresses218
Configuring Password Control219
- Overview219
- FIPS Compliance222
- Password Control Configuration Task List222
- Enabling Password Control222
- Setting Global Password Control Parameters223
- Setting User Group Password Control Parameters224
- Setting Local User Password Control Parameters225
- Setting Super Password Control Parameters225
- Displaying and Maintaining Password Control226
- Password Control Configuration Example226
Managing Public Keys230
- Overview230
- FIPS Compliance230
- Creating a Local Key Pair230
- Distributing a Local Host Public Key232
  - Exporting a Host Public Key232
  - Displaying a Host Public Key232
- Destroying a Local Key Pair233
- Configuring a Peer Host Public Key233
  - Importing a Peer Host Public Key from a Public Key File233
  - Entering a Peer Host Public Key234
- Displaying and Maintaining Public Keys234
- Examples of Public Key Management234
  - Example for Entering a Peer Host Public Key234
  - Example for Importing a Public Key from a Public Key File236
Configuring PKI239
- Overview239
- FIPS Compliance242
- PKI Configuration Task List242
- Configuring a PKI Entity242
- Configuring a PKI Domain243
- Requesting a Certificate245
- Aborting a Certificate Request247
- Obtaining Certificates247
- Verifying PKI Certificates248
  - Verifying Certificates with CRL Checking248
  - Verifying Certificates Without CRL Checking249
- Specifying the Storage Path for the Certificates and Crls249
- Exporting Certificates250
- Removing a Certificate250
- Configuring a Certificate-Based Access Control Policy251
- Displaying and Maintaining PKI252
- PKI Configuration Examples252
- Troubleshooting PKI Configuration266
Configuring Ipsec272
- Overview272
- FIPS Compliance276
- Ipsec Tunnel Establishment276
- Implementing ACL-Based Ipsec277
- Configuring Ipsec for Ipv6 Routing Protocols290
  - Configuration Task List290
  - Configuring a Manual Ipsec Profile291
- Configuring SNMP Notifications for Ipsec292
- Displaying and Maintaining Ipsec293
- Ipsec Configuration Examples293
Configuring IKE303
- Overview303
- FIPS Compliance305
- IKE Configuration Prerequisites305
- IKE Configuration Task List305
- Configuring an IKE Profile306
- Configuring an IKE Proposal308
- Configuring an IKE Keychain309
- Configuring the Global Identity Information310
- Configuring the IKE Keepalive Feature311
- Configuring the IKE NAT Keepalive Feature311
- Configuring IKE DPD311
- Enabling Invalid SPI Recovery312
- Setting the Maximum Number of IKE Sas313
- Configuring SNMP Notifications for IKE313
- Displaying and Maintaining IKE314
- IKE Configuration Examples314
  - Main Mode IKE with Pre-Shared Key Authentication Configuration Example314
  - Verifying the Configuration317
- Troubleshooting IKE317
Configuring Ikev2322
- Overview322
- Feature and Software Version Compatibility323
- Ikev2 Configuration Task List324
- Configuring an Ikev2 Profile324
- Configuring an Ikev2 Policy327
- Configuring an Ikev2 Proposal327
- Configuring an Ikev2 Keychain329
- Configure Global Ikev2 Parameters330
- Displaying and Maintaining Ikev2331
- Ikev2 Configuration Examples331
  - Ikev2 with Pre-Shared Key Authentication Configuration Example331
  - Ikev2 with RSA Signature Authentication Configuration Example334
- Troubleshooting Ikev2339
Configuring SSH341
- Overview341
- Feature and Software Version Compatibility344
- FIPS Compliance344
- Configuring the Device as an SSH Server344
- Configuring the Device as an Stelnet Client351
- Configuring the Device as an SFTP Client355
- Configuring the Device as an SCP Client361
  - Establishing a Connection to an SCP Server361
  - Establishing a Connection to an SCP Server Based on Suite B364
- Specifying Algorithms for SSH2364
- Displaying and Maintaining SSH366
- Stelnet Configuration Examples366
- SFTP Configuration Examples384
- SCP Configuration Examples394
  - SCP File Transfer with Password Authentication394
  - SCP Configuration Example Based on Suite B Algorithms396
- NETCONF over SSH Configuration Example with Password Authentication403
Configuring SSL406
- Overview406
  - SSL Security Services406
  - SSL Protocol Stack406
- FIPS Compliance407
- SSL Configuration Task List407
- Configuring an SSL Server Policy407
- Configuring an SSL Client Policy410
- Displaying and Maintaining SSL412
Configuring IP Source Guard413
- Overview413
  - Static IPSG Bindings413
  - Dynamic IPSG Bindings414
- IPSG Configuration Task List414
- Configuring the Ipv4Sg Feature415
  - Enabling Ipv4Sg on an Interface415
  - Configuring a Static Ipv4Sg Binding415
- Configuring the Ipv6Sg Feature416
  - Enabling Ipv6Sg on an Interface416
  - Configuring a Static Ipv6Sg Binding417
- Displaying and Maintaining IPSG418
- IPSG Configuration Examples418
Configuring ARP Attack Protection424
- ARP Attack Protection Configuration Task List424
- Configuring Unresolvable IP Attack Protection424
- Configuring ARP Packet Rate Limit426
  - Configuration Guidelines427
  - Configuration Procedure427
- Configuring Source MAC-Based ARP Attack Detection427
- Configuring ARP Packet Source MAC Consistency Check429
- Configuring ARP Active Acknowledgement430
- Configuring Authorized ARP430
- Configuring ARP Attack Detection433
- Configuring ARP Scanning and Fixed ARP439
  - Configuration Restrictions and Guidelines439
  - Configuration Procedure440
- Configuring ARP Gateway Protection440
  - Configuration Guidelines440
  - Configuration Example441
- Configuring ARP Filtering441
Configuring MFF444
- Overview444
- Configuring MFF446
- Displaying and Maintaining MFF447
- MFF Configuration Examples448
  - Manual-Mode MFF Configuration Example in a Tree Network448
  - Manual-Mode MFF Configuration Example in a Ring Network449
Configuring Urpf451
- Overview451
- Enabling Urpf454
- Displaying and Maintaining Urpf454
- Urpf Configuration Example455
Configuring Crypto Engines456
- Overview456
- Displaying and Maintaining Crypto Engines456
Configuring FIPS457
- Overview457
- Configuration Restrictions and Guidelines457
- Configuring FIPS Mode458
- FIPS Self-Tests460
- Displaying and Maintaining FIPS462
- FIPS Configuration Examples462
Configuring User Profiles467
- Overview467
- Configuration Task List467
- Configuration Restrictions and Guidelines467
- Creating a User Profile467
- Configuring Parameters for a User Profile468
  - Configuring Qos Parameters for Traffic Management468
- Displaying and Maintaining User Profiles468
- User Profile Configuration Examples468
  - Local 802.1X Authentication/Authorization with Qos Policy Configuration Example468
Configuring Attack Detection and Prevention473
- Overview473
- Configuring TCP Fragment Attack Prevention473
Configuring Macsec474
- Overview474
- Compatibility Information477
  - Feature and Hardware Compatibility477
  - Feature and Software Version Compatibility477
- Macsec Configuration Task List478
- Enabling MKA478
- Enabling Macsec Desire478
- Configuring a Preshared Key479
- Configuring the MKA Key Server Priority479
- Configuring Macsec Protection Parameters in Interface View480
- Configuring Macsec Protection Parameters by MKA Policy481
  - Configuring an MKA Policy481
  - Applying an MKA Policy482
- Displaying and Maintaining Macsec482
- Macsec Configuration Examples483
  - Client-Oriented Macsec Configuration Example483
  - Device-Oriented Macsec Configuration Example486
- Troubleshooting Macsec489
Configuring ND Attack Defense490
- Overview490
- Feature and Software Version Compatibility490
- ND Attack Defense Configuration Task List490
- Configuring ND Attack Detection491
- Configuring RA Guard494
Document Conventions and Icons498
- Conventions498
- Network Topology Icons499
Support and Other Resources500
- Accessing Hewlett Packard Enterprise Support500
- Accessing Updates500
Index503

HPE FlexNetwork 5510 HI Series

Table of Contents

Other manuals for HPE FlexNetwork 5510 HI Series

Related product manuals