Manualshelf

Access Security Guide K/KA/KB.15.15

ManualsBrandsHP ManualsNetwork HardwareHP 5406R-8XGT/8SFP+ (No PSU) v2 zl2 Switch
919293949596979899100
You configure access to an optional, unauthorized VLAN when you configure web-based and
MAC authentication on a port.
RADIUS-based authentication
In web-based and MAC authentication, you use a RADIUS server to temporarily assign a port to
a static VLAN to support an authenticated client. When a RADIUS server authenticates a client,
the switch-port membership during the client's connection is determined according to the following
hierarchy:
1. A RADIUS-assigned VLAN.
2. An authorized VLAN specified in the web-based or MAC authentication configuration for the
subject port.
3. A static, port-based, untagged VLAN to which the port is configured. A RADIUS-assigned
VLAN has priority over switch-port membership in any VLAN.
Wireless clients
You can allow wireless clients to move between switch ports under web-based/MAC authentication
control. Clients can move from one web-authorized port to another or from one MAC-authorized
port to another. This capability allows wireless clients to move from one access point to another
without having to reauthenticate.
How web-based and MAC authentication operate
Before gaining access to the network, a client first presents authentication credentials to the switch.
The switch then verifies the credentials with a RADIUS authentication server. Successfully
authenticated clients receive access to the network, as defined by the System Administrator. Clients
who fail to authenticate successfully receive no network access or limited network access as defined
by the System Administrator.
Web-based authentication
When a client connects to a web-based authentication enabled port, communication is redirected
to the switch. A temporary IP address is assigned by the switch and a login screen is presented
for the client to enter their username and password.
The default User Login screen is shown in Figure 63 (page 100). You can also prepare customized
web pages to use for web-based authentication login and present them to clients who try to connect
to the network, see “Customizing user login web pages” (page 90).
Figure 63 Default User Login screen
When a client connects to the switch, it sends a DHCP request to receive an IP address to connect
to the network. To avoid address conflicts in a secure network, you can specify a temporary IP
address pool to be used by DHCP by configuring the dhcp-addr and dhcp-lease options when
you enable web-based authentication with the aaa port-access web-based command.
The Secure Socket Layer (SSLv3/TLSv1) feature provides remote web-based access to the network
via authenticated transactions and encrypted paths between the switch and management station
clients capable of SSL/TLS. If you have enabled SSL on the switch, you can specify the ssl-login
option when you configure web-based authentication so that clients who log in to specified ports
are redirected to a secure login page (https://...) to enter their credentials.
100 Web-based and MAC authentication