BLADE OS™ Application Guide HP GbE2c Ethernet Blade Switch for c-Class BladeSystem Version 5.1 Advanced Functionality Software
Table Of Contents
- Contents
- Figures
- Tables
- Preface
- Part 1: Basic Switching
- Accessing the Switch
- The Management Network
- Local Management Using the Console Port
- The Command Line Interface
- Remote Management Access
- Client IP Address Agents
- Securing Access to the Switch
- Setting Allowable Source IP Address Ranges
- RADIUS Authentication and Authorization
- TACACS+ Authentication
- LDAP Authentication and Authorization
- Secure Shell and Secure Copy
- Configuring SSH/SCP Features on the Switch
- Configuring the SCP Administrator Password
- Using SSH and SCP Client Commands
- SSH and SCP Encryption of Management Messages
- Generating RSA Host and Server Keys for SSH Access
- SSH/SCP Integration with Radius Authentication
- SSH/SCP Integration with TACACS+ Authentication
- End User Access Control
- Ports and Trunking
- Port-Based Network Access Control
- VLANs
- Spanning Tree Protocol
- RSTP and MSTP
- Link Layer Discovery Protocol
- Quality of Service
- Accessing the Switch
- Part 2: IP Routing
- Basic IP Routing
- Routing Information Protocol
- IGMP
- OSPF
- OSPF Overview
- OSPF Implementation in BLADE OS
- OSPF Configuration Examples
- Remote Monitoring
- Part 3: High Availability Fundamentals
- High Availability
- Layer 2 Failover
- Server Link Failure Detection
- VRRP Overview
- Failover Methods
- BLADE OS Extensions to VRRP
- Virtual Router Deployment Considerations
- High Availability Configurations
- High Availability
- Part 4: Appendices
- Index
BLADE OS 5.1 Application Guide
78 Chapter 3: Port-Based Network Access Control BMD00113, September 2009
Extensible Authentication Protocol over LAN
BLADE OS can provide user-level security for its ports using the IEEE 802.1X protocol, which is a
more secure alternative to other methods of port-based network access control. Any device attached
to an 802.1X-enabled port that fails authentication is prevented access to the network and denied
services offered through that port.
The 802.1X standard describes port-based network access control using Extensible Authentication
Protocol over LAN (EAPoL). EAPoL provides a means of authenticating and authorizing devices
attached to a LAN port that has point-to-point connection characteristics and of preventing access to
that port in cases of authentication and authorization failures.
EAPoL is a client-server protocol that has the following components:
Supplicant or Client
The Supplicant is a device that requests network access and provides the required credentials
(user name and password) to the Authenticator and the Authenticator Server.
Authenticator
The Authenticator enforces authentication and controls access to the network. The
Authenticator grants network access based on the information provided by the Supplicant and
the response from the Authentication Server. The Authenticator acts as an intermediary
between the Supplicant and the Authentication Server: requesting identity information from the
client, forwarding that information to the Authentication Server for validation, relaying the
server’s responses to the client, and authorizing network access based on the results of the
authentication exchange. The GbE2c acts as an Authenticator.
Authentication Server
The Authentication Server validates the credentials provided by the Supplicant to determine if
the Authenticator should grant access to the network. The Authentication Server may be
co-located with the Authenticator. The GbE2c relies on external RADIUS servers for
authentication.
Upon a successful authentication of the client by the server, the 802.1X-controlled port transitions
from unauthorized to authorized state, and the client is allowed full access to services through the
port. When the client sends an EAP-Logoff message to the authenticator, the port will transition
from authorized to unauthorized state.