Manualshelf

Access Security Guide K/KA/KB.15.15

ManualsBrandsHP ManualsNetwork HardwareHP 5406R-8XGT/8SFP+ (No PSU) v2 zl2 Switch
71727374757677787980
Redirecting HTTP when MAC address not found
When a client’s MAC address is checked by the RADIUS server against the known list of MAC
addresses, and the MAC address is not found, the client needs a way to quickly become registered
through a web registration process. The HTTP Redirect feature provides a way for a client who has
failed MAC authentication to become registered through a web/registration server. Only a web
browser is required for this authentication process.
NOTE: The HTTP redirect feature cannot be enabled if web-based authentication is enabled on
any port, and conversely, if HTTP redirect is enabled, web-based authentication cannot be enabled
on any port.
The web/registration server software is not included with this feature.
How HTTP redirect works
The unauth-redirect option must be configured with the registration server’s URL as a parameter
before HTTP redirect operations can begin. The full URL must be used.
Syntax:
[no]aaa port-access mac-based unauth-redirect
Configure the HTTP redirect registration server feature.
<redirect-URL-str>
Enables the HTTP redirect registration server feature by configuring the URL of the
registration page. An entry can have either an IP address or a DNS name. Only
one server can be configured.
Note: The entire URL must be used, including the “http://” or “https://” portion.
[restrictive-filter]
Enables the redirect server to only return a Warning or Information page.
[timeout <seconds>]
The time (in seconds) before a client in an unauthorized redirection state is removed
from the state tables.
Range: <30-10800>seconds
Default: 1800 seconds
CAUTION: Rogue clients can attempt to access any web pages on the web/registration server
via interface ports configured for MAC authentication.
Operating Notes for HTTP Redirect
If the configured URL contains a domain name (as opposed to an IP address) the switch’s DNS
resolver must be configured:
HP Switch(config)# ip dns server-address priority 1 <ipv4=address>
The NAT does an IP route lookup before it sends the packet to the destination registration
server. A VLAN must have been configured that allows the switch to access the registration
server.
The initial page, redirect server, and filter path configuration will be per-switch.
Registering HTTP redirect
Following are the steps involved in HTTP registration.
80 Web-based and MAC authentication