Manualshelf

Access Security Guide K/KA/KB.15.15

ManualsBrandsHP ManualsNetwork HardwareHP 5406R-8XGT/8SFP+ (No PSU) v2 zl2 Switch
81828384858687888990
Prerequisities
As implemented in 802.1X authentication, the disabling of incoming traffic and transmission of
outgoing traffic on a web-based Authenticated egress port in an unauthenticated state (using the
aaa portaccess controlled-directions in command) is supported only if:
The 802.1s Multiple Spanning Tree Protocol (MSTP) or 802.1w Rapid Spanning Tree Protocol
(RSTP) is enabled on the switch. MSTP and RSTP improve resource utilization while maintaining
a loop-free network.
The port is configured as an edge port in the network using the spanning-tree edge-port command.
For information on how to configure the prerequisites for using the aaa port-access
controlled-directions in command, see “Multiple Instance Spanning-Tree Operation
in the Advanced Traffic Management Guide for your switch.
To display the currently configured controlled directions value for web-based authenticated
ports, enter the show port-access web-based config command.
The aaa port-access controlled-direction in command allows Wake-on-LAN
traffic to be transmitted on a web-based authenticated egress port that has not yet transitioned
to the authenticated state; the controlled-direction both setting prevents Wake-on-LAN traffic
to be transmitted on a web-based authenticated egress port until authentication occurs. The
Wake-on-LAN feature is used by network administrators to remotely power on a sleeping
workstation (for example, during early morning hours to perform routine maintenance
operations, such as patch management and software updates.)
Using the aaa port-access controlled-directions in command, you can enable
the transmission of Wake-on-LAN traffic on unauthenticated egress ports that are configured
for any of the following port-based security features:
802.1X authentication
MAC authentication
Web-based authentication
Because a port can be configured for more than one type of authentication to protect the
switch from unauthorized access, the last setting you configure with the aaa port-access
controlled-directions command is applied to all authentication methods configured
on the switch. For information about how to configure and use 802.1X authentication, see
“Port-Based and User-Based Access Control (802.1X)” (page 455).
When a web-based authenticated port is configured with the controlled-directions in setting,
eavesdrop prevention is not supported on the port.
Disable web-based authentication
Syntax
[no]aaa port-access web-based <port-list>
Enables web-based authentication on the specified ports. Use the no form of the
command to disable web-based authentication on the specified ports.
Specifying the VLAN
Syntax
aaa port-access web-based <port-list> [auth-vid <vid>]
[no]aaa port-access web-based <port-list> [auth-vid <vid>]
Specifies the VLAN to use for an authorized client. The Radius server can override
the value (accept-response includes a vid). If auth-vidis 0, no VLAN changes
occur unless the RADIUS server supplies one.
Configuring web-based authentication 85