Manualshelf

Access Security Guide K/KA/KB.15.15

ManualsBrandsHP ManualsNetwork HardwareHP 5406R-8XGT/8SFP+ (No PSU) v2 zl2 Switch
919293949596979899100
Displays the currently configured web authentication settings for all switch ports or
specified ports and includes RADIUS server-specific settings, such as:
Timeout waiting period.
Number of timeouts supported before authentication login fails.
Length of time (quiet period) supported between authentication login attempts.
Figure 62 Show port-access mac-based config auth-server command output
Overview
Web-based and MAC authentication are designed for employment on the "edge" of a network to
provide port-based security measures for protecting private networks and a switch from unauthorized
access. Because neither method requires clients to run special supplicant software (unlike 802.1X
authentication), both web and MAC authentication are suitable for legacy systems and temporary
access situations where introducing supplicant software is not an attractive option. Only a web
browser (for web-based authentication) or a MAC address (for MAC authentication) is required.
Both web and MAC authentication methods rely on a RADIUS server to authenticate network
access. This simplifies access security management by allowing the control of access from a master
database in a single server. Up to three RADIUS servers can be used for backup in case access
to the primary server fails. It also means the same credentials can be used for authentication,
regardless of which switch or switch port is the current access point into the LAN.
On a port configured for web-based or MAC authentication, the switch operates as a port-access
authenticator using a RADIUS server and the CHAP protocol. Inbound traffic is processed by the
switch alone, until authentication occurs. Some traffic from the switch to an unauthorized client is
supported (for example, broadcast or unknown destination packets) before authentication occurs.
About web and MAC authentication
Web-based authentication
The web-based authentication method uses a web page login to authenticate users for access to
the network. When a client connects to the switch and opens a web browser, the switch
automatically presents a login page.
NOTE: A proxy server is not supported for use by a browser on a client device that accesses the
network through a port configured for web-based authentication.
In the login page, a client enters a username and password, which the switch forwards to a RADIUS
server for authentication. After authenticating a client, the switch grants access to the secured
network. Besides a web browser, the client needs no special supplicant software.
MAC authentication
The MAC authentication method grants access to a secure network by authenticating devices for
access to the network. When a device connects to the switch, either by direct link or through the
network, the switch forwards the device's MAC address to the RADIUS server for authentication.
98 Web-based and MAC authentication