not logged in | [Login]
Always use radiusd -X when debugging!
The content on this page refers to HP ProCurve switches only, not switching products from companies acquired by HP (3Com, H3C, Aruba).
The switch provides a local captive portal for credential entry. When the user submits their credentials, a hash of the password is then written to the CHAP-Password attribute.
When the switch receives a ethernet frame from a client which has not yet been authenticated, it copies the value of the ethernet SRC address field into the User-Name attribute of an Access-Request packet. The RADIUS server can then check the User-Name against a list of authorised Mac-Addresses.
Note: A hashed version of the SRC address is also inserted into the CHAP-Password attribute of Access-Request packets.
In normal operation the switch will attempt to authenticate the client every quiet-period (a configurable period measured in seconds). That is, when the client connects and either: The RADIUS server returns an Access-Reject, or the RADIUS server is Unreachable, the switch will retry authentication after quiet-period seconds.
The quiet-period timer will not fire if an unauth-vid is configured and the client transitions into the 'guest' state. The ASG manual for some products suggests that if the client falls into the 'guest' state because of RADIUS server timeout then they will be re-authenticated, but this was not implemented in software! Beware using the unauth-vid where switches rely on RADIUS servers for VLAN assignment. A RADIUS server failure or power outage could place all clients into the 'guest' state where they will not be able to recover without manual intervention.
The switch port acts as an 802.1X authenticator, encapsulating/de-encapsulating EAP-Messages as required , and forwarding them between the supplicant and RADIUS server.
When a supplicant connects, the switch will send an EAP Identity-Request packet to the suppliant, to prompt an authentication attempt. Alternatively the supplicant can initiate authentication by sending an EAP Start packet to the switch.
As the switch is only acting as a pass-through, any EAP Method may be used, so long as the final EAP-Message is an EAP-Success or EAP-Failure.
Example Packet (Access-Request):
Framed-MTU = 1480
NAS-IP-Address = 192.168.0.1
NAS-Identifier = "hp-e-its-dev8021X-sw1"
User-Name = "user"
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 2
NAS-Port-Type = Ethernet
NAS-Port-Id = "2"
Called-Station-Id = "00-14-38-fb-94-3e"
Calling-Station-Id = "00-18-8b-1f-ea-c3"
Connect-Info = "CONNECT Ethernet 100Mbps Full duplex"
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "700"
EAP-Message = 0x0201000a0175736572
Message-Authenticator = 0x5128a826dfedf51040215eb6fef398dfPort based mode is used when the 'client-limit' parameter of the 802.1X authenticator is not set.
In port based mode if a single authentication attempt on the port is successful, the port is fully opened and all packets are allowed to ingress.
Note: This mode may not work correctly when used concurrently with another authentication method.
Client based mode is a HP proprietary extension to the 802.1X standard, and is used when a 'client-limit' of 1 or more is configured for the 802.1X authenticator.
In client based mode a filtering table is maintained for each authenticated port. Only devices which have successfully completed 802.1X authentication have their Mac-Addresses added to the filtering table, so only packets from authenticated devices are allowed to ingress into the network. Multiple authentication sessions for different devices may run concurrently, and accounting information will be provided for each individual session.
In firmware (< H.10.74 or equivalent) the switch encapsulates the contents of the RADIUS Reply-Message attribute in an EAP-Notification packet, which it sends after the EAP-Success/Failure packet. Most supplicants deal with this ok (despite it breaking RFC 3579), but it causes WPA_Supplicant to restart authentication. If you're using 802.1X with older firmware, be sure to filter out the Reply-Message attribute in any Access-Accept packets containing an EAP-Message.
Switches running K and W code may include one or more instances of the HP-Capability-Advert VSA (Vendor 11, Type 255) in Access-Requests. This attribute defines the capabilities of the NAS, listing all 'special' RADIUS attributes it supports. The format of HP-Capability-Advert values is loosely based around the RFC 2865 attribute encoding format with the length and value fields stripped and a version field added.
| RADIUS Attribute | Times Used | Value String | Value |
|---|---|---|---|
| HP-Capability-Advert (11.255) | 0+ | Capability advertisement | Binary encoding of attribute type |
0 1
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Version | Type |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Version | Type | Vendor-Id
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Vendor-Id (cont) | Vendor-Type |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ProCurve switches (>=2600) can run 802.1X authentication concurrently with either Web-Based or Mac-Based authentication on the same port. Though Web-Based and Mac-Based authentication cannot be used together.
When multiple port-access mechanisms are used, 802.1X based authentication always takes priority. That is, if a device has already authenticated via Mac-Based/Web-Based authentication, and then successfully completes 802.1X authentication, any accounting sessions open for Mac/Web based authentication will be closed, and the PVID assignment will reflect the VLAN assigned by the 802.1X authenticator.
If an 802.1X authenticated client sends an EAPOL-Logoff packet, the 802.1X session is terminated and the client will be re-authenticated using Web/Mac based authentication.
This usually results in the client being assigned the port-access authenticator unauth-vid after completing Mac/Web authentication. When you need to configure an unauth-vid with multiple authentication mechanisms, set the unauth-vid for the Mac/Web authenticator, not the 802.1X authenticator.
Note: Setting unath-vid for 802.1X when concurrent 802.1X/MAC authentication is enabled, is now prohibited in software versions >= H.10.79 or equivalent
Unauthorised VLAN - If no port-access authentication mechanisms have managed to successfully authenticate the device, the unauth-vid will be set as the PVID. Although the port will be shown as closed, traffic will be able to flow to/from the connected device on this VLAN. The idea behind this feature is to allow administrators to disseminate resources to connecting users (Installation packages for 802.1X supplicants, instructions etc...), allowing them to configure their computer for the local network and complete authentication successfully.
Authorised VLAN - If the client successfully completed authentication and no VLAN was specified by the RADIUS server, the auth-vid will be set as the PVID. If no VLAN was specified by the RADIUS server, and no auth-vid was set, the client is assigned to the untagged VLAN configured for the port.
When sending an Access-Accept packet the RADIUS server can specify which PVID should be assigned to the client. Most ProCurve switches that support dynamic VLAN assignment use the standard RFC3580 and [http://tools.ietf.org/html/rfc3580#section-3.31) attributes, allowing full control over the tagged and untagged VLANs set on a port.
The recommended approach for configuring both tagged and untagged VLANs, is to configure the untagged ingress/egress VLAN using RFC 3580 attributes, and use RFC 4675 attributes for tagged VLANs.
| RADIUS Attribute | Times Used | Description | Value String | Value |
|---|---|---|---|---|
| Tunnel-Type | 1 | Type of tunnel | VLAN | 13 |
| Tunnel-Medium-Type | 1 | Tunnel transport medium | IEEE-802 | 6 |
| Tunnel-Private-Group-Id | 1 | Numeric ingress/egress VLAN ID to be assigned |
If the specified Tunnel-Private-Group-Id matches a VLAN present on the switch, the PVID of the port the client is connected to will be temporarily altered to reflect the assigned PVID. At the end of the session the port will revert back to its static PVID assignment.
On session termination, the ports VLAN membership will revert back to it's statically assigned untagged VLAN. If the specified Tunnel-Private-Group-Id does not match a configured or learned VLAN, authentication will fail.
Exemple for single untagged VLAN, MAC-based:
"b0b867cf9b62" Cleartext-Password := "b0b867cf9b62"
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-ID = 664This entry will assign the port to the single untagged VLAN of ID 664.
| RADIUS Attribute | Times Used | Description | Value String | Value |
|---|---|---|---|---|
| Egress-VLANID | 1-* | Allow egress traffic for specified VID | - | <tagged/untagged(0x31 or 0x32)>000<VLAN_ID (as hex)> |
| Egress-VLAN-Name | 1-* | Allow egress traffic for specified VLAN Name | - | <tagged/untagged(1 or 2)><VLAN Name String> |
| Ingress-Filters | 1 | Drop ingress traffic for VIDs not enabled for egress | Enabled | 1 |
| RADIUS Attribute | Times Used | Description | Value String | Value |
|---|---|---|---|---|
| HP-Egress-VLANID (11.64) | 1-* | Alternate VSA for Egress-VLANID | - | <tagged/untagged(0x31 or 0x32)>000<VLAN_ID (as hex)> |
| HP-Egress-VLAN-Name (11.65) | 1-* | Alternate VSA for Egress-VLAN-Name | - | <tagged/untagged(1 or 2)><VLAN Name String> |
The value of Egress-VLANID is a bit string, the first 8 bits specify whether the VLAN is tagged or untagged and must be either 0x31 (tagged) or 0x32 (untagged). The next 12 bits are padding 0x000, and the final 12 bits are the VLAN ID as an integer value. For example the value to set VLAN 17 as a tagged egress VLAN would be 0x31000011.
Note: It is not possible to specify the ingress untagged VLAN with RFC 4675 attributes, so RFC 3580 attributes must be used instead.
The default switching 'philosophy' of ProCurve switches is to filter ingress packets based on the egress VLAN membership of a port, this goes against the 802.1Q standard, which requires that frames be allowed to ingress, even if their tag does not match a VLAN the port is a member of. Supporting this attribute (i.e. allowing promiscuous ingress) would break the ProCurve switching philosophy, and so this attribute is ignored.
Exemple for single tagged VLAN, MAC-based:
"b0b867cf9b62" Cleartext-Password := "b0b867cf9b62"
Egress-VLANID = `%{expr: 0x31000000 + 451}`This entry will assign the port to the single tagged VLAN of ID 451. With use of an expr, it is possible to use integer addition to show the composition of the bit string, with the leading 0x31 for tagged VLAN, the 0x000 padding and the VLAN ID.
Exemple for single untagged and multiple tagged VLANs, MAC-based:
"b0b867cf9b62" Cleartext-Password := "b0b867cf9b62"
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-ID = 664,
Egress-VLANID += `%{expr: 0x31000000 + 451}`,
Egress-VLANID += `%{expr: 0x31000000 + 452}`,
Egress-VLANID += `%{expr: 0x31000000 + 453}`,
Egress-VLANID += `%{expr: 0x31000000 + 454}`
This entry will assign the port to the single untagged VLAN of ID 664 and to four tagged VLANs of IDs 451 to 454. Note the use of the += operator for multiple instances of the same attribute.
| RADIUS Attribute | Times Used | Description | Value String | Value |
|---|---|---|---|---|
| HP-COS (11.40) | 1 | Assign 802.1p priority to all inbound packets on port | - | <CoS_0><CoS_1><CoS_2><CoS_3><CoS_4><CoS_5><CoS_6><Cos_7> |
The VSA 'HP-COS' or the RFC 4674 attribute 'User-Priority-Table' can be used to write an 802.1p CoS value into the 802.1Q header of all packets received on port-access authenticator enabled port. This attribute should contain the desired CoS priority (as a string) repeated 8 times. The reason for the repetition is that this attribute is meant to form a map to translate different COS priorities in packets egressing on the port. Unfortunately this feature has not yet been implemented in hardware, so whatever value is used for the first (left most) byte is applied for all priorities.
If the packet ingresses into the switch from the client on an untagged VLAN, the priority assigned to CoS_0 will be used.
If the packet then egresses from the switch as a tagged VLAN, the switch will honour the CoS value and forward the packet with the CoS value written into the 802.1Q header.
If the packet egresses from the switch as an untagged VLAN, the switch will honour the CoS value, but forward the packet with no CoS value attached. This is because the CoS value can only be written to the 802.1Q header, which is stripped if the packet is forwarded untagged.
802.1p based QoS is enabled by default on ProCurve switches, and cannot be disabled (except on I & M F/W switches). The eight possible 802.1p priority values are aggregated into four port-based outbound queues, which are applied as the packet egresses from the switch.
| 802.1p Value | Traffic classification (recommended) | Outbound Queue | Queue priority |
|---|---|---|---|
| 1 | Background | 1 | Low |
| 2 | Spare | 1 | Low |
| 0 | Best Effort | 2 | Normal |
| 3 | Excellent Effort | 2 | Normal |
| 4 | Controlled Load | 3 | High |
| 5 | Video | 3 | High |
| 6 | Voice | 4 | Critical |
| 7 | Network Control | 4 | Critical |
Note: On K series the 8 802.1p priorities are not aggregated and map to 8 different queues
Note: HP-COS attribute is honoured by both the WMA and the 802.1X authenticator, although the 'show port-access mac-based' command in some branches does not show the override.
Note: There's no way to write a CodePoint value to the DiffServ/ToS field of IPv4 packets using dynamic assignment. HP-COS affects 802.1p priority only.
This feature is available on all platforms >=2600 series. When DHCP-Snooping and WMA/802.1X are enabled concurrently the IP address of the client learned in by DHCP-Snooping is included in the Framed-IP-Address attribute of all Accounting-Request packets.
In the current implementation this introduces a delay of ~60 seconds between the client being authenticated and the first Accounting Start packet being sent.
Unfortunately there is no method to disable this bridging feature so if reliable accounting times are required it is recommended not to enable DHCP-Snooping.
| RADIUS Attribute | Times Used | Description | Value String | Value |
|---|---|---|---|---|
| Framed-IP-Address | 1 | IP Address learned via DHCP-Snooping | - | <ip_oct1>.<ip_oct2>.<ip_oct3>.<ip_oct4> |
Note: The Acct-Delay-Time attribute included in Accounting-Requests is not properly incremented, so accounting times really will be off by ~60 seconds
In addition to being able to assign statically configured VLANs, GVRP learned VLANs are also available for dynamic assignment.
conf
aaa port-access gvrp-vlans
int <authenticated port range> unknown-vlans disable
exitThe default setting for the interface unknown-vlan option is learn, this allows GVRP enabled clients to gain access to additional tagged VLANs once the port is in an open state. This is often undesirable from a security standpoint, so the unknown-vlan option should be set to disable on all port-access authenticated edge ports.
Note: If a GVRP VLAN is no longer advertised to the switch, all clients assigned that VLAN will be forced to re-authenticate.
On most HP Procurve switches there are two levels of authorised access, ‘Operator’ access and ‘Manager’ access.
Operator access allows the user to view most of the vital stats of the switch (using the show commands), but will not allow them to make any potentially dangerous changes (such as modify the configuration).
Manager (enabled) access allows the user to perform any supported operation.
When a user attempts to authenticate, the users password is encrypted (using a shared secret between the NAS and RADIUS server) and sent in an access request packet as the User-Password attribute. The username is sent as the User-Name attribute, along with a desired Service-Type. Most ProCurve switches only support PAP for authentication on their management interfaces, though as of K.13.51, PEAP-MSCHAPv2 is supported as an authentication method for management on K branch switches.
Example (PAP Login):
User-Name = "user"
User-Password = "pasphrase"
NAS-IP-Address = 192.168.0.1
NAS-Identifier = "hp-e-its-dev8021X-sw1"
NAS-Port-Type = Virtual
Service-Type = NAS-Prompt-UserExample (PAP Enable):
User-Name = "user"
User-Password = "pasphrase"
NAS-IP-Address = 192.168.0.1
NAS-Identifier = "hp-e-its-dev8021X-sw1"
NAS-Port-Type = Virtual
Service-Type = Administrative-UserTypically the request Service-Type will be NAS-Prompt-User, however if the user either demotes themselves by exiting the administrative session, and tries to escalate themselves to manager; or logs in as an operator and tries to escalate to manager; the switch will send Administrative-User as the requested Service-Type.
The RADIUS server will then authenticate the user and respond with either an Access-Accept or Access-Reject packet. For authentication to succeed, Access-Accept packets must also contain a Service-Type attribute corresponding to the desired privilege level.
| Access Level | RADIUS Attribute | Times Used | Description | Value String | Value |
|---|---|---|---|---|---|
| Operator | Service-Type | 1 | The user should be provided a command prompt on the NAS from which non-privileged commands can be executed. | NAS-Prompt-User | 7 |
| Manager | Service-Type | 1 | The user should be granted access to the administrative interface to the NAS from which privileged commands can be executed. | Administrative-User | 6 |
| No Access/Access reject | Service-Type | 1 | To deny access, either send an Access-Reject, or omit the Service-Type attribute (only works when Privilege-Mode is enabled). | - | - |
With all newer (>2600) ProCurve switches, the switch can be instructed to respect the Service-Type sent back from the RADIUS server. In older models an administrator would first authenticate to gain access to the switch, and then again when enabling administrative commands.
Note: The privilege-mode feature is not included in the 2500/6108 series.
conf
aaa authentication login privilege-mode
exitWith all newer (>2600) ProCurve switches, the switch can send all commands executed during a session to a RADIUS server in the form of Accounting-Request (Interim-Update) packets.
The command executed will be written to the HP-Command-String VSA.
Note: The account command logging feature is not included in the 2500/6108 series.
Example:
User-Name = "user"
NAS-IP-Address = 192.168.0.1
NAS-Identifier = "hp-e-its-dev8021x-sw1"
NAS-Port-Type = Virtual
Calling-Station-Id = "192.168.0.2"
Acct-Status-Type = Interim-Update
Acct-Authentic = RADIUS
Service-Type = NAS-Prompt-User
HP-Command-String = "show system-information"
Acct-Delay-Time = 0conf
aaa accounting commands stop-only radius
exitRFC3576 operation is currently supported on all K and W branch switches. It is considered to be a 'premium' feature, so is unlikely to be backported, or included in lower end switch models.
A RADIUS request with a Code of either 40 (Disconnect Request) or 43 (CoA Request) is sent to UDP port 3799 (default) on the switch. This request must include attributes that identify the NAS, attributes that identify the session, and in the case of CoA, attributes that form the new authorisation profile. RFC 3576 also recommends that an Event-Timestamp attribute be present for replay protection purposes, and that there be a maximum (default) delta of 300 seconds between the NAS time and the Event-Timestamp attribute included in the request.
Note: HP switches will silently discard any CoA or DM requests that do not have a valid Event-Timestamp attribute, this behaviour may be disabled on a server by server basis (see below for example).
All CoA/DM requests must contain at least one set of Session-Identification attributes.
| RADIUS Attribute | Times Used | Description | Value String | Value |
|---|---|---|---|---|
| User-Name | 1 | User-Name provided in Access-Accept, or used in Authentication | - | <user-name> |
| Acct-session-Id | 1 | Accounting session ID provided in Accounting-Requests | - | <session_id> |
OR
| RADIUS Attribute | Times Used | Description | Value String | Value |
|---|---|---|---|---|
| User-Name | 1 | User-Name provided in Access-Accept, or used in Authentication | - | <user-name> |
| Calling-Station-Id | 1 | Clients Mac-Address (hyphens must be used to delimit octets) | - | <oct1>-<oct2>-<oct3>-<oct4>-<oct5>-<oct6> |
OR
| RADIUS Attribute | Times Used | Description | Value String | Value |
|---|---|---|---|---|
| User-Name | 1 | User-Name provided in Access-Accept, or used in Authentication | - | <user-name> |
| Calling-Station-Id | 1 | Clients Mac-Address (hyphens must be used to delimit octets) | - | <oct1>-<oct2>-<oct3>-<oct4>-<oct5>-<oct6> |
| NAS-Port-Id | 1 | Port on which the client is authenticated e.g. 1 or A1 (modular) | - | <port> |
If using Mac-Auth the User-Name attribute must match the User-Name provided in the Access-Request.
All CoA/DM requests must contain at least one NAS-Identification attribute (NAS-IP-Address appears to be the only one supported so far).
| RADIUS Attribute | Times Used | Description | Value String | Value |
|---|---|---|---|---|
| NAS-IP-Address | 1 | Source IP for RADIUS requests (sent from the switch) | - | <ip-address> |
At least one of these attribute/attribute sets must be present in the CoA request else the NAS will return a CoA-NAK (Missing-Attribute). No authorisation attributes must be included in the disconnect message else the NAS will return a DM-NAK (Unsupported-Attribute).
| RADIUS Attribute | Times Used | Description |
|---|---|---|
| Session-Timeout | 1 | Number of seconds between client re-authentication (integer) |
| Tunnel-Type=VLAN,Tunnel-Medium-Type=IEEE-802,Tunnel-Private-Group-Id= | 1 | PVID assignment/alteration |
| Egress-VLANID | 1+ | Tagged VLAN assignment (octets) |
| Egress-VLAN-Name | 1+ | Tagged VLAN assignment (string) |
| HP-Bandwidth-Max-Ingress | 1 | Percentage of port bandwidth allowed for ingress |
| HP-Bandwidth-Max-Egress | 1 | Percentage of port bandwidth allowed for engress |
| HP-NAS-Filter-Rule | 1+ | ACE (multiple attribtues form ACL) applied to client |
Note: ProCurve switches do not support reauthorization using the "Service-Type = Authorization-Only" AVP
conf
radius-server host <coa_originator_ip> key <coa_key>
radius-server host <coa_originator_ip> dyn-authorization
exitconf
radius-server host <auth_server_ip> key <auth_key>
radius-server host <coa_originator_ip> key <coa_key>
radius-server host <coa_originator_ip> dyn-authorization
aaa server-group radius 'rad_auth' host <auth_server_ip>
aaa authentication port-access eap-radius server-group 'rad_auth'
# repeat for other authentication methods
aaa accounting network start-stop radius 'rad_auth'
# repeat for other accounting methods
exitconf
radius-server host <coa_originator_ip> time-window 0
exitecho "NAS-IP-Address = 172.0.0.1,\
User-Name = 'example_user',\
NAS-Port = 1,\
Calling-Station-Id = '00-10-00-10-00-10'" | radclient 172.0.0.1:3799 40 testing123
Received response ID 114, code 41, length = 32
Event-Timestamp = "Sep 2 2018 10:26:40 PDT"
Acct-Terminate-Cause = Admin-ResetThis changes example_user's PVID to 2 and remaps all incoming 802.1p priorities to 7.
echo "User-Name = 'example_user',\
Acct-Session-Id = '000100006F',\
Tunnel-Type = VLAN,\
Tunnel-Medium-Type = IEEE-802,\
Tunnel-Private-Group-Id = '2',\
HP-COS = '7777777'" | radclient 172.0.0.1:3799 43 testing123
Received response ID 193, code 44, length = 26
Event-Timestamp = "Sep 2 2018 10:42:29 PDT"You must have manager access on the target switch and have entered configuration mode to run the following commands.
Most ProCurve wired switches >= 2600 series will support all or a subset of these commands.
radius-server host <radius_server_ip1> auth-port 1812 acct-port 1813
radius-server host <radius_server_ip2> auth-port 1812 acct-port 1813radius-server key <radius_shared_secret>aaa authentication port-access eap-radius
aaa port-access gvrp-vlansNote: Enabling the use of GVRP vlans is optional.
aaa authentication ssh login radius local
aaa authentication ssh enable radius local
aaa authentication console login radius local
aaa authentication console enable radius local
aaa authentication login privilege-modeaaa port-access authenticator <port range>
aaa port-access authenticator <port range> logoff-period 862400
aaa port-access authenticator <port range> quiet-period 30
aaa port-access authenticator <port range> client-limit 1
aaa port-access authenticator active
aaa port-access mac-based <port range>
aaa port-access mac-based <port range> logoff-period 862400
aaa port-access mac-based <port range> quiet-period 30
# This improves compatibility with devices that use WOL
aaa port-access <port range> controlled-direction inaaa accounting exec start-stop radius
aaa accounting network start-stop radius
aaa accounting system start-stop radius
aaa accounting update periodic 15If dual authentication is used with different logoff-period timer values, timer behaviour is unpredictable. In older versions of K series firmware, and all other branches, the logoff-period timer for both 802.1X and WMA was implemented using a single H/W timer. If different values were used for the logoff-period timers in 802.1X and WMA, the timer would reflect the value set by the last authenticator to be initialised. For predictable behavior it is higly recommended that the same value be used for both, if either of the authenticator logoff-period timers are changed from their default of 300 seconds.
The use of port-based 802.1X and WMA concurrently is not recommended, not well supported, and not allowed in recent versions of K branch software. It is recommended to set a 802.1X client limit of 1 or more when using concurrent authentication. This puts the port into client-based 802.1X mode.
The default logoff-period is too low for embedded devices such as printers that may 'sleep' for long periods; if the value is not increased devices that enter a sleep/power-saving mode may become unreachable. It's recommended that devices using Mac-Auth also run a DHCP client, to ensure that they periodically wake up and send packets to the authenticating switch, thus keeping their session alive.
For security reasons it's better to implement dual authentication with 802.1X and Mac-Auth instead of configuring an unauth-vid. This allows the RADIUS server ultimate control over whether data from a device is allowed to ingress onto the network.
Many, always update to the latest firmware.
Last edited by Emmanuel Halbwachs (ehalbwachs), 2019-01-14 21:43:41
Sponsored by Network RADIUS 