Ethernet 802.1X configuration – HP

In this topic, you will learn how to configure selected HP switches to work together with Portnox™ Cloud and 802.1X RADIUS authentication for Ethernet connections.

HP ProCurve (generic)

In this section, you will learn how to configure the HP ProCurve switches to work together with Portnox™ Cloud and 802.1X RADIUS authentication for Ethernet connections.

Warning: This configuration might not work on all HP ProCurve models and firmware versions. To get the most accurate and current configuration guidance on switch 802.1X configuration, we strongly recommend that you refer to the documentation provided by HP on these topics for your particular device model and firmware version.
Important: All values in this configuration are examples. Make sure to adjust the configuration to your individual RADIUS server addresses, ports, and keys, as well as device interfaces, limits, and VLANs by replacing the values that are presented as underlined italics.
  1. Specify a RADIUS server for authentication and accounting using the data of the Portnox Cloud US RADIUS server. 
    radius-server host 20.119.69.248 key rTHO9HEo9BcqfC9Yg0hHFelK6o0tH8N1
  auth-port 10322 acct-port 10323
  2. Specify a RADIUS server for authentication and accounting using the data of the Portnox Cloud EU RADIUS server. 
    radius-server host 52.232.122.157 key fnSrSEHhXFZ5Rqpz756NJhkeVqIHTlPt
  auth-port 10476 acct-port 10477
  3. Enable 802.1X authentication using EAP via a RADIUS server for port access. 
    aaa authentication port-access eap-radius
  4. Enable 802.1X authentication on ports 1 to 4. 
    aaa port-access authenticator 1-4
    1. Assign the clients authenticated on ports 1 to 4 to VLAN 10. 
      aaa port-access authenticator 1-4 auth-vid 10
    2. Set a limit of 20 clients that can authenticate on ports 1 to 4. 
      aaa port-access authenticator 1-4 client-limit 20
  5. Enable MAC-based authentication on ports 5 to 8. 
    aaa port-access mac-based 5-8
    1. Allow a maximum of 15 authenticated MAC addresses on ports 5 to 8. 
      aaa port-access mac-based 5-8 addr-limit 15
    2. Assign the devices authenticated based on the MAC address on ports 5 to 8 to VLAN 20. 
      aaa port-access mac-based 5-8 auth-vid 20
    3. Assigns the devices that were not authenticated on ports 5 to 8 to VLAN 30, segregating them from authenticated devices. 
      aaa port-access mac-based 5-8 unauth-vid 30
  6. Configure directional control.

    This command controls transmissions before authentication: both: inbound and outbound transmission is blocked, in: inbound traffic from the endpoint is blocked.

    aaa port-access 1-8 controlled-direction both
  7. Activate 802.1X on the switch. 
    aaa port-access authenticator active

Here is the entire example configuration for your convenience:

radius-server host 20.119.69.248 key rTHO9HEo9BcqfC9Yg0hHFelK6o0tH8N1 auth-port 10322 acct-port 10323
radius-server host 52.232.122.157 key fnSrSEHhXFZ5Rqpz756NJhkeVqIHTlPt auth-port 10476 acct-port 10477             
#
aaa authentication port-access eap-radius
#
aaa port-access authenticator 1-4
aaa port-access authenticator 1-4 auth-vid 10
aaa port-access authenticator 1-4 client-limit 20
#
aaa port-access mac-based 5-8
aaa port-access mac-based 5-8 addr-limit 15
aaa port-access mac-based 5-8 auth-vid 20
aaa port-access mac-based 5-8 unauth-vid 30
#
aaa port-access 1-8 controlled-direction both
aaa port-access authenticator active

HP 5130 HPE Comware 7

In this section, you will learn how to configure the HP 5130 HPE Comware 7 switch to work together with Portnox™ Cloud and 802.1X RADIUS authentication for Ethernet connections.

Warning: We tested this configuration on HP 5130 HPE Comware 7 with firmware 7.1.045, release 3113P05. This configuration might not work on other HP Comware models and other firmware versions. To get the most accurate and current configuration guidance on switch 802.1X configuration, we strongly recommend that you refer to the documentation provided by HP on these topics for your particular device model and firmware version.
Important: All values in this configuration are examples. Make sure to adjust the configuration to your individual RADIUS server addresses, ports, and keys, as well as device interfaces.
  1. Define a new RADIUS scheme in the configuration, which will be used to set up and reference specific RADIUS servers for authentication purposes.
    1. Create the new RADIUS scheme and name it portnox. 
      radius scheme portnox
    2. Specify the primary authentication server to be the Portnox Cloud US RADIUS server. 
      primary authentication 20.119.69.248 10322 key cipher rTHO9HEo9BcqfC9Yg0hHFelK6o0tH8N1
    3. Specify the primary accounting server to be the Portnox Cloud US RADIUS server. 
      primary accounting 20.119.69.248 10323 key cipher rTHO9HEo9BcqfC9Yg0hHFelK6o0tH8N1
    4. Specify the secondary authentication server to be the Portnox Cloud EU RADIUS server. 
      secondary authentication 52.232.122.157 10476 key cipher fnSrSEHhXFZ5Rqpz756NJhkeVqIHTlPt
    5. Specify the secondary accounting server to be the Portnox Cloud EU RADIUS server. 
      secondary accounting 52.232.122.157 10477 key cipher fnSrSEHhXFZ5Rqpz756NJhkeVqIHTlPt
    6. Enable the sending of Accounting-On messages from the switch to the RADIUS server, which are used to indicate the start of the RADIUS accounting session. 
      accounting-on enable
    7. Use a username format for RADIUS authentication that excludes the domain part of the username. 
      user-name-format without-domain
  2. Set the default domain and configure the default domain to use the RADIUS scheme created in the previous step for authentication, authorization, and accounting.
    1. Enable the default authentication domain on the switch and set it to use the system’s built-in authentication method. 
      domain default enable system
    2. Start the system domain configuration section 
      domain system
    3. Set the authentication method for LAN access to use the RADIUS scheme created before. 
      authentication lan-access radius-scheme portnox
    4. Set the authorization method for LAN access. 
      authorization lan-access radius-scheme portnox
    5. Set the accounting method for LAN access. 
      accounting lan-access radius-scheme portnox
  3. Enable 802.1X globally, set EAP as the 802.1X authentication method, and set the 802.1X timers to allow for a quicker MAC-based authentication (approximately 20 seconds from the initial EAPOL exchange).
    1. Enter the 802.1X configuration mode. 
      dot1x
    2. Configure the switch to use EAP as the method of authenticating devices using the 802.1X protocol. 
      dot1x authentication-method eap
    3. Turn on the quiet period in an 802.1X environment; a quiet period is a period during which the switch does not attempt to re-authenticate a client after a failed authentication attempt. 
      dot1x quiet-period
    4. Set the quiet period to 20 seconds. 
      dot1x timer quiet-period 20
    5. Set the transmission period timer for 802.1X authentication to 10 seconds – the switch will wait for 10 seconds between sending EAP request packets to a client when attempting to authenticate it. 
      dot1x timer tx-period 10
    6. Set up the switch to authenticate devices based on their MAC addresses. 
      mac-authentication
  4. Configure the switch interfaces for 802.1X and MAC-based authentication.
    Note: Trunks cannot be configured as 802.1X ports. Any port acting as a trunk/uplink should not be configured for 802.1X, as it will negatively impact network connectivity. 802.1X can only be configured on access ports.
    1. Configure 802.1X authentication on interface 0/1. 
      interface GigabitEthernet 0/1
    2. Configure the selected interface as an STP edge port, which assumes the port is connected to an end device and not another switch. 
      stp edged-port
    3. Enable 802.1X port-based network access control on the selected interface. 
      dot1x
    4. Disable the 802.1X handshake feature on the interface, meaning the switch will not perform an EAPOL handshake with the connected device for authentication. 
      undo dot1x handshake
    5. Do not trigger 802.1X authentication process on the interface in response to multicast traffic. 
      undo dot1x multicast-trigger
    6. Configure the interface to use the system domain for 802.1X authentication, making it mandatory for connected devices to authenticate against this specific domain. 
      dot1x mandatory-domain system
    7. Enable 802.1X authentication on the interface to be triggered by unicast traffic, starting the authentication process when such traffic is detected. 
      dot1x unicast-trigger
    8. Configure the interface to keep devices online (maintain their network access) even if the 802.1X authentication server becomes unreachable, but to re-authenticate the devices once the server is reachable again. 
      dot1x re-authenticate server-unreachable keep-online
    9. Enable MAC address-based authentication on the interface, allowing network access based on the MAC address of the connected device. 
      mac-authentication
    10. Set the MAC authentication on the interface to use the system domain, meaning MAC addresses will be authenticated against this specific domain. 
      mac-authentication domain system
    11. Configure MAC authentication to keep devices online if the authentication server becomes unreachable, but to re-authenticate them once the server is available again. 
      mac-authentication re-authenticate server-unreachable keep-online
    12. Enable periodic re-authentication of devices using MAC authentication, ensuring that their network access is periodically verified. 
      mac-authentication re-authenticate

Here is the entire example configuration for your convenience:

radius scheme portnox                
primary authentication 20.119.69.248 10322 key cipher rTHO9HEo9BcqfC9Yg0hHFelK6o0tH8N1
primary accounting 20.119.69.248 10323 key cipher rTHO9HEo9BcqfC9Yg0hHFelK6o0tH8N1
secondary authentication 52.232.122.157 10476 key cipher fnSrSEHhXFZ5Rqpz756NJhkeVqIHTlPt
secondary accounting 52.232.122.157 10477 key cipher fnSrSEHhXFZ5Rqpz756NJhkeVqIHTlPt
accounting-on enable
user-name-format without-domain
domain default enable system
domain system
authentication lan-access radius-scheme portnox
authorization lan-access radius-scheme portnox
accounting lan-access radius-scheme portnox
dot1x
dot1x authentication-method eap
dot1x quiet-period
dot1x timer quiet-period 20
dot1x timer tx-period 10
mac-authentication
interface GigabitEthernet 0/1
stp edged-port
dot1x
undo dot1x handshake
undo dot1x multicast-trigger
dot1x mandatory-domain system
dot1x unicast-trigger
dot1x re-authenticate server-unreachable keep-online
mac-authentication
mac-authentication domain system
mac-authentication re-authenticate server-unreachable keep-online
mac-authentication re-authenticate