Access Security Guide K/KA/KB.15.15
NIM also allows you to configure and apply client-specific profiles on ports that are not configured
to authenticate clients (unauthorized clients), provided that a client's MAC address is known in the
switch forwarding database.
The profile of attributes applied for each client (MAC address) session is stored in the hpicfUsrProfile
MIB, which serves as the configuration interface for NIM. A client profile consists of NIM-configured,
RADIUS-assigned, and statically configured parameters. Using show commands for 802.1X, web
or MAC authentication, you can verify which RADIUS-assigned and statically configured parameters
are supported and if they are supported on a per-port or per-client basis.
A NIM policy accesses the hpicfUsrProfileMIB through SNMP to perform the following actions:
• Bind (or unbind) a profile of configured attributes to the MAC address of a client device on
an authenticated or unauthenticated port.
• Configure or unconfigure an untagged VLAN for use in an authenticated or unauthenticated
client session.
NOTE: The attribute profile assigned to a client is often a combination of NIM-configured,
RADIUS-assigned, and statically configured settings. Precedence is always given to the temporarily
applied NIM-configured parameters over RADIUS-assigned and locally configured parameters.
For information on NIM, go to the HP Networking Web site at www.hp.com/solutions.
Arbitrating client-specific attributes
In previous releases, client-specific authentication parameters for 802.1X Web, and MAC
authentication are assigned to a port using different criteria. A RADIUS-assigned parameter is
always given highest priority and overrides statically configured local passwords. 802.1X
authentication parameters override Web or MAC authentication parameters.
Starting in release K.13.xx, DCA stores three levels of client-specific authentication parameters
and prioritizes them according to the following hierarchy of precedence:
1. NIM access policy (applied through SNMP)
2. RADIUS-assigned
a. 802.1X authentication
b. Web or MAC authentication
3. Statically (local) configured
Client-specific configurations are applied on a per-parameter basis on a port. In a client-specific
profile, if DCA detects that a parameter has configured values from two or more levels in the
hierarchy of precedence described above, DCA decides which parameters to add or remove, or
whether to fail the authentication attempt due to an inability to apply the parameters.
For example, NIM may configure only rate-limiting for a specified client session, while
RADIUS-assigned values may include both an untagged VLAN ID and a rate-limiting value to be
applied. In this case, DCA applies the NIM-configured rate-limiting value and the RADIUS-assigned
VLAN (if there are no other conflicts).
Also, you can assign NIM-configured parameters (for example, VLAN ID assignment or rate-limiting)
to be activated in a client session when a threat to network security is detected. When the
NIM-configured parameters are later removed, the parameter values in the client session return to
the RADIUS-configured or locally configured settings, depending on which are next in the hierarchy
of precedence.
In addition, DCA supports conflict resolution for QoS (port-based CoS priority) and rate-limiting
(ingress) by determining whether to configure either strict or non-strict resolution on a switch-wide
basis. For example, if multiple clients authenticate on a port and a rate-limiting assignment by a
Using HP switch security features 439