KB.15.15

ManualsBrandsHP ManualsNetwork HardwareHP 5406R-8XGT/8SFP+ (No PSU) v2 zl2 Switch

101

102

103

104

105

106

107

108

109

110

Clientless Endpoint Integrity

Clientless Endpoint Integrity (CEI) allows a switch to validate the security software that a client is

running before allowing the client to connect to the network. By using the CEI feature on a switch

deployed at the edge of the network, there is no need to require a client to install special software

to perform the endpoint integrity check. CEI verifies that a client is running the necessary security

patches, service packs, virus definitions, and the last scan date.

CEI is embedded in the login process for web-based authentication to verify a client's integrity.

After you configure CEI, a client simply connects to the network and goes through the login process.

During the login process, the software installed on the client is automatically checked by a CEI

server on your network. If the endpoint integrity check fails and CEI reports that a client needs to

install a more current patch or a new virus definition file, the client is redirected to a quarantine

network to install the required updates.

CEI enhances your ability to secure your network from unknown or known clients who try to connect

without requiring clients to install special security software.

To enable CEI, configure the IP address of the CEI server (using the cei-server parameter) when

you enable web-based authentication. To set up the CEI server and quarantine network, follow the

instructions in the “Diagnostic Tools” section in the “Troubleshooting” chapter of Management and

Configuration Guide for your switch.

MAC authentication

When a client connects to a MAC authentication enabled port traffic is blocked. The switch

immediately submits the client's MAC address (in the format specified by the addr-format) as

its certification credentials to the RADIUS server for authentication.

If the client is authenticated and the maximum number of MAC addresses allowed on the port

(addr-limit) has not been reached, the port is assigned to a static, untagged VLAN for network

access.

Operating notes and guidelines

• The switch supports concurrent 802.1X , web and MAC authentication operation on a port

(with up to 32 clients allowed). However, concurrent operation of web and MAC authentication

with other types of authentication on the same port is not supported. That is, the following

authentication types are mutually exclusive on a given port:

• Web-based and/or MAC authentication (with or without 802.1X)

• MAC lockdown

• MAC lockout

• Port-Security

• Order of Precedence for Port Access Management (highest to lowest):

MAC lockout1.

2. MAC lockdown or Port Security

3. Port-based Access Control (802.1X) or web-based authentication or MAC authentication

NOTE: When configuring a port for web-based or MAC authentication, be sure that a higher

precedent port access management feature is not enabled on the port. For example, be sure

that Port Security is disabled on a port before configuring the port for web-based or MAC

authentication. If Port Security is enabled on the port this misconfiguration does not allow

web-based or MAC authentication to occur.

• VLANs: If your LAN does not use multiple VLANs, then you do not need to configure VLAN

assignments in your RADIUS server or consider using either authorized or unauthorized VLANs.

102 Web-based and MAC authentication