R0106-HP MSR Router Series Security Configuration Guide(V7)

ManualsBrandsHP ManualsNetwork HardwareHP MSR4060 Router Chassis

111

112

113

114

115

116

117

118

119

120

100

For more information about configuring local authentication and RADIUS authentication, see

"Configuring AAA."

Authorization VLAN assignment

You can specify the authorization VLAN for a MAC authentication user to control access to authorized

network resources.

• On a RADIUS server, the authorization VLAN can be specified in the form of VLAN ID or VLAN

name.

• On the local access device, the authorization VLAN must be specified in the form of VLAN ID. You

can specify the authorization VLAN in the following views:

{ The view of the MAC authentication user.

{ The view of the user group to which the MAC authentication user belongs.

For more information about local authorization VLAN configuration, see "Configuring AAA."

When the MAC authentication user passes authentication, the authentication server (either the local

access device or a RADIUS server) assigns the authorization VLAN to the user.

The port through which the user accesses the device is assigned to the authorization VLAN. A hybrid port

is always assigned to a server-assigned authorization VLAN as an untagged member. After the

assignment, do not reconfigure the port as a tagged member in the VLAN.

Table 7 d

escribes the way the network access device handles authorization VLANs for MAC

authenticated users.

Table 7 VLAN manipulation

Port t

e VLAN mani

ulation

• Access port

• Trunk port

• Hybrid port with

MAC-based-VLAN disabled

The device assigns the first authenticated user's authorization VLAN to

the port as the PVID.

NOTE:

For these port types, you must assign the same authorization VLAN to

all MAC authentication users on a port. If a different authorization

VLAN is assigned to a subsequent user, the user cannot pass MAC

authentication.

Hybrid port with MAC-based VLAN

enabled

The device maps the MAC address of each user to the authorization

VLAN. The PVID of the port does not change. When a user logs off, the

MAC-to-VLAN mapping for the user is removed.

Feature and hardware compatibility

The MAC authentication feature is available only on the following ports:

The ports on the HMIM-24GSW/24GSWP and HMIM-8GSW Layer 2 switching modules installed on

MSR routers.

Configuration prerequisites

Before you configure MAC authentication, complete the following tasks: