Hp Procurve Dhcp Snooping

Posted onby
  1. Hp Procurve Default Password
  2. Hp Switch Igmp Snooping
  3. Hp Procurve Igmp Snooping
  4. Hp Switch Dhcp-snooping Trust
  5. Hp Procurve Firmware
  1. This video will demonstrate how to configure a DHCP server on an HP Switch. (A5500) - » Tutorial - http://techexpert.tips/hp-switch/hp-switch-dhcp-server-co.
  2. I would like to know whether is DHCP Snooping feature unavailable in this switch model? I tried type in the command but it didnt recognize it. If this model didnt come with this feature, is there any way to prevent rogue dhcp server? This thread has been moved from Comware-Based to ProCurve / ProVision-Based.HP Forum Moderator.

Dans cet article, vous retrouverez une liste de commandes de configuration des Switchs HP Procurve.

Quelques rapides explications seront données.

Configuration de base

HP ProCurve 2910al-24G-PoE+. DHCP snooping, dynamic ARP protection and source port/protocol/multicast filtering are available, as well as port based and user based access control.

Entrer et sortir du mode de configuration

Sauvegarder la configuration

Afficher la configuration

Redémarrer

Hostname

Utilisateur et mot de passe

Le manager a tous les droits. L’opérateur à des droits limités (commandes Show, accès aux logs, droits en lecture, etc…).

SSH et Telnet

Accès console

Le temps est indiqué en minutes. « 0 » signifie que la session n’expire pas.

Accès WEB

SFTP

TFTP

Bannière

AAA Radius

AAA Tacacs+

Configuration d’un port

Activation / Desactivation

Configuration d’une description

Vitesse et Duplex

Limitation de broadcast

Hp procurve switch firmware

Sécurité de port

Commandes

Explications

Le paramètre Learn-mode définit comment les adresses MAC sont apprises :

  • Continuous: C’est le mode par défaut. Le switch apprend les adresses MAC des frames qu’il reçoit. Une fois le Age-Time atteint, elles sont supprimées. Il n’est pas possible de configurer de Address-Limit.
  • Limited-continuous: Similaire au mode continuous mais permet de configurer une limite d’adresse MAC.
  • Static: Permet de spécifier à la main les adresses MAC autorisées. Si la limite n’est pas atteinte, le switch peut encore apprendre des adresses (ex : si la limite est à 5 et que 3 adresses ont été configurées, le switch peut encore apprendre 2 adresses).
  • Configured: Similaire au mode Static. Si la limite n’est pas attente, le switch ne peut pas apprendre de nouvelles adresses (ex : si la limite est à 5 et que 3 adresses ont été configurées, le switch ne peut pas apprendre plus d’adresse).
  • Port-Access: Permet de configurer de l’authentification

Le paramètre Address-Limit permet de choisir le nombre maximum d’adresse que le switch peut apprendre pour un port.

Le paramètre Action permet de définir ce que fait le switch une fois la limite atteinte :

  • None: le switch ignore les frames venant ayant une adresse source non apprise (ex : la limite est 5 est le switch a appris 5 adresse, alors une frame ayant une adresse source non connue est ignorée).
  • Send-alarm: génère une alerte
  • Send-disable: bloque le port

Le paramètre Mac-Address permet de spécifier à la main les adresses que le switch doit connaitre (utile pour les modes Static et Configured).

Le paramètre Age-Time permet de choisir le temps après lequel les adresses non-utilisées sont oubliées (par défaut : 300 minutes).

Le paramètre Eavesdrop-Prevention permet d’empêcher un ordinateur de voir du trafic Unicast qui n’est pas destiné à ce port. Quand le paramètre est activé et qu’une frame arrive sur le port, le switch compare l’adresse de destination aux adresses autorisées sur le port. Cela n’affecte pas le trafic de Multicast et de Broadcast.

Vérification

Configuration des VLANs

Augmenter le nombre de VLAN max

Creation d’un VLAN

Suppression d’un VLAN

Association d’un VLAN à un port

Untagged correspond au mode access chez Cisco. Les frames ne sont pas taguées quand elles sont envoyés à travers le port.

Le mode Tagged correspond au mode Trunk chez Cisco. Les frames sont taguées avec le numéro du VLAN quand elles sont envoyées à travers le port.

VLAN Voice

Vérification

Configuration IP

Interface VLAN

Passerelle par défaut

DNS

Configuration Spanning Tree

Activation du Spanning Tree

MSTP

Paramètres de base.

Assignation des VLANs à une instance.

Forcer le switch en Root Bridge pour une instance.

RSTP

Forcer le switch en Root Bridge

La priorité du switch devient 4096.

Admin-Edge-Port (Portfast)

L’Admin-Edge-Port est l’équivalent du portfast chez Cisco. C’est une configuration à appliquer sur les ports donnant vers des PC. Ici les ports 1 à 10 seront configurés en Admin-Edge-Port.

Coût et priorité

Root Guard

Le Root Guard permet d’empêcher un switch dérière ce port de devenir Root Bridge.

BPDU-Protection

Avec la BPDU Protection, si un BPDU est reçu sur le port, celui-ci est désactivé. Il est possible de choisi un temps après lequel le port est réactive (Timeout).

BPDU Filter

Le BPDU Filter empêche l’envoie et la réception de BPDU sur le port. Le port continue de faire transiter le trafic.

Loop Protection

Vérification

Agrégation de lien

Prérequis sur les ports de l’agrégation :

  • Pas de VLAN
  • Même vitesse et mode de duplex
  • Pas de Loop Protect

Agrégation statique

Agrégation sans protocole de négociation (équivalent au mode ON chez Cisco).

LACP

Agrégation avec négociation LACP en mode Passive (création d’une agrégation si le port en face est en mode Active, sinon il ne se passe rien).

Agrégation avec négociation LACP en mode Active (création d’une agrégation si le port en face est en mode Passive ou Active, sinon il ne se passe rien).

Configuration de l’agrégation agrégation

Vérification

VRRP

Switch Active

Il est préférable de configurer les deux switchs en mode Backup et d’assigner une priorité plus importante à l’un d’eux. Cela permet d’assigner une IP A au premier switch, une IP B au deuxième et une IP C pour l’IP virtuelle de passerelle.

En configurant un switch en Owner et un en Backup, le switch Owner doit porter l’IP virtuelle de passerelle.

Switch Standby

Vérification

Configuration d’une ACL

ACL standard : 1 à 100 ou nommée.

ACL standard 100 à 199 ou nommée.

Un Deny All se trouve à la fin de toutes les ACL.

Application de l’ACL sur un VLAN.

Vérification.

Configuration d’une restriction d’accès

Seules les IP identifiées dans les commandes IP Authorised-Manager peuvent accéder aux interfaces de configuration du switch.

Configuration NTP / SNTP

Client NTP

Client SNTP

Configuration SNMP

SNMP v1 et V2

Activation / Désactivation du SNMP.

Configuration de la communauté.

Renseignement des informations du switch.

Autorisation d’interroger le switch en SNMP.

Configuration d’une machine à laquelle envoyer des tarps.

Vérification.

SNMPv3

Activation.

Paramétrage des accès.

Renseignement des informations du switch.

Vérification.

Syslog

DHCP Snooping

Le DHCP Snooping est une fonctionnalité permettant de filtrer des messages DHCP sur un switch. Il est possible de configurer les ports en mode Trusted (un serveur DHCP peut se trouver derrière et faires des DHCP-ACK et DHCP-OFFER) ou en mode UnTrusted (un serveur DHCP ne peut pas se trouver derrière le port.

Cela évite qu’un intrus se fasse passer pour un serveur DHCP. De plus, le switch garde en mémoire les adresses IP attribuées aux différentes adresses MAC.

Activation global du DHCP Snooping.

Autorisation d’un serveur DHCP.

Activation du DHCP Snooping sur un VLAN.

Configuration d’une interface en mode Trusted (les interfaces sont untrusted par défaut).

Vérification.

Port Mirroring

Port de destination de trafic répliqué.

Port sur lequel le trafic intéressant passe. Le mot clé Both signifie que le trafic entrant et sortant est répliqué.

Remote Port Mirroring

Switch avec trafic intéressant

Switch destination

Vérification

Configuration du routage

Activation du routage

Création d’une route par défaut

LLDP / CDP

Configuration SFTP

Cette configuration permet d’activer le protocole SFTP sur le switch (pour la copie de fichiers). Le protocole TFTP est alors automatiquement désactivé.

POE

Le POE est activé par défaut.

802.1X Ethernet

Configuration Radius

Configuration des ports concernés

Paramétrage spécifiques (VLAN en cas de non authentification et limite de client)

Activation de l’authentification

Vérification

DHCP Relay

RIP

OSPF

Commandes Show

Voici quelques commandes Show en vrac.

Tagués avec : Configuration HP Procurve, Configuration Switch HP Procurve, Guide de Configuration HP Procurve
Publié dans Switch Procurve

The content on this page refers to HP ProCurve switches only, not switching products from companies acquired by HP (3Com, H3C, Aruba).

Port authentication mechanisms

Web-Based

The switch provides a local captive portal for credential entry. When the user submits their credentials, a hash of the password is then written to the CHAP-Password attribute.

Mac-Based

When the switch receives a ethernet frame from a client which has not yet been authenticated, it copies the value of the ethernet SRC address field into the User-Name attribute of an Access-Request packet. The RADIUS server can then check the User-Name against a list of authorised Mac-Addresses.

Note: A hashed version of the SRC address is also inserted into the CHAP-Password attribute of Access-Request packets.

In normal operation the switch will attempt to authenticate the client every quiet-period (a configurable period measured in seconds). That is, when the client connects and either: The RADIUS server returns an Access-Reject, or the RADIUS server is Unreachable, the switch will retry authentication after quiet-period seconds.

Beware using guest VLANs with mac-based authentication and dynamic VLAN assignment

The quiet-period timer will not fire if an unauth-vid is configured and the client transitions into the 'guest' state. The ASG manual for some products suggests that if the client falls into the 'guest' state because of RADIUS server timeout then they will be re-authenticated, but this was not implemented in software!Beware using the unauth-vid where switches rely on RADIUS servers for VLAN assignment. A RADIUS server failure or power outage could place all clients into the 'guest' state where they will not be able to recover without manual intervention.

802.1X

The switch port acts as an 802.1X authenticator, encapsulating/de-encapsulating EAP-Messages as required , and forwarding them between the supplicant and RADIUS server.

When a supplicant connects, the switch will send an EAP Identity-Request packet to the suppliant, to prompt an authentication attempt. Alternatively the supplicant can initiate authentication by sending an EAP Start packet to the switch.

As the switch is only acting as a pass-through, any EAP Method may be used, so long as the final EAP-Message is an EAP-Success or EAP-Failure.

Example Packet (Access-Request):

Port-Based Mode

Port based mode is used when the 'client-limit' parameter of the 802.1X authenticator is not set.

In port based mode if a single authentication attempt on the port is successful, the port is fully opened and all packets are allowed to ingress.

Note: This mode may not work correctly when used concurrently with another authentication method.

Client-Based Mode

Client based mode is a HP proprietary extension to the 802.1X standard, and is used when a 'client-limit' of 1 or more is configured for the 802.1X authenticator.

In client based mode a filtering table is maintained for each authenticated port. Only devices which have successfully completed 802.1X authentication have their Mac-Addresses added to the filtering table, so only packets from authenticated devices are allowed to ingress into the network.Multiple authentication sessions for different devices may run concurrently, and accounting information will be provided for each individual session.

In earlier firmware, Reply-Messages were encapsulated as EAP-Notification packets.

In firmware (< H.10.74 or equivalent) the switch encapsulates the contents of the RADIUS Reply-Message attribute in an EAP-Notification packet, which it sends after the EAP-Success/Failure packet.Most supplicants deal with this ok (despite it breaking RFC 3579), but it causes WPA_Supplicant to restart authentication. If you're using 802.1X with older firmware, be sure to filter out the Reply-Message attribute in any Access-Accept packets containing an EAP-Message.

ProCurve port authentication special features

Capability advertisements

Switches running K and W code may include one or more instances of the HP-Capability-Advert VSA (Vendor 11, Type 255) in Access-Requests. This attribute defines the capabilities of the NAS, listing all 'special' RADIUS attributes it supports. The format of HP-Capability-Advert values is loosely based around the RFC 2865 attribute encoding format with the length and value fields stripped and a version field added.

RADIUS AttributeTimes UsedValue StringValue
HP-Capability-Advert (11.255)0+Capability advertisementBinary encoding of attribute type

Encoding - Standard attributes

Encoding - Vendor specific attributes

Dual Authentication

ProCurve switches (>=2600) can run 802.1X authentication concurrently with either Web-Based or Mac-Based authentication on the same port. Though Web-Based and Mac-Based authentication cannot be used together.

When multiple port-access mechanisms are used, 802.1X based authentication always takes priority. That is, if a device has already authenticated via Mac-Based/Web-Based authentication, and then successfully completes 802.1X authentication, any accounting sessions open for Mac/Web based authentication will be closed, and the PVID assignment will reflect the VLAN assigned by the 802.1X authenticator.

If an 802.1X authenticated client sends an EAPOL-Logoff packet, the 802.1X session is terminated and the client will be re-authenticated using Web/Mac based authentication.

Setting the unauth-vid for both 802.1X and Mac/Web authenticators will result in unexpected behaviour

This usually results in the client being assigned the port-access authenticator unauth-vid after completing Mac/Web authentication. When you need to configure an unauth-vid with multiple authentication mechanisms, set the unauth-vid for the Mac/Web authenticator, not the 802.1X authenticator.

Note: Setting unath-vid for 802.1X when concurrent 802.1X/MAC authentication is enabled, is now prohibited in software versions >= H.10.79 or equivalent

Open VLANs

Hp Procurve Default Password

  • Unauthorised VLAN - If no port-access authentication mechanisms have managed to successfully authenticate the device, the unauth-vid will be set as the PVID. Although the port will be shown as closed, traffic will be able to flow to/from the connected device on this VLAN. The idea behind this feature is to allow administrators to disseminate resources to connecting users (Installation packages for 802.1X supplicants, instructions etc...), allowing them to configure their computer for the local network and complete authentication successfully.

  • Authorised VLAN - If the client successfully completed authentication and no VLAN was specified by the RADIUS server, the auth-vid will be set as the PVID. If no VLAN was specified by the RADIUS server, and no auth-vid was set, the client is assigned to the untagged VLAN configured for the port.

Dynamic VLAN Assignment

When sending an Access-Accept packet the RADIUS server can specify which PVID should be assigned to the client. Most ProCurve switches that support dynamic VLAN assignment use the standard RFC3580 and [http://tools.ietf.org/html/rfc3580#section-3.31) attributes, allowing full control over the tagged and untagged VLANs set on a port.

The recommended approach for configuring both tagged and untagged VLANs, is to configure the untagged ingress/egress VLAN using RFC 3580 attributes, and use RFC 4675 attributes for tagged VLANs.

RFC 3580 (single untagged VLAN) Assignment

RADIUS AttributeTimes UsedDescriptionValue StringValue
Tunnel-Type1Type of tunnelVLAN13
Tunnel-Medium-Type1Tunnel transport mediumIEEE-8026
Tunnel-Private-Group-Id1Numeric ingress/egress VLAN ID to be assigned

If the specified Tunnel-Private-Group-Id matches a VLAN present on the switch, the PVID of the port the client is connected to will be temporarily altered to reflect the assigned PVID. At the end of the session the port will revert back to its static PVID assignment.

On session termination, the ports VLAN membership will revert back to it's statically assigned untagged VLAN. If the specified Tunnel-Private-Group-Id does not match a configured or learned VLAN, authentication will fail.

Exemple for single untagged VLAN, MAC-based:

This entry will assign the port to the single untagged VLAN of ID 664.

RFC 4675 (multiple tagged/untagged VLAN) Assignment

RADIUS AttributeTimes UsedDescriptionValue StringValue
Egress-VLANID1-*Allow egress traffic for specified VID-<tagged/untagged(0x31 or 0x32)>000<VLAN_ID (as hex)>
Egress-VLAN-Name1-*Allow egress traffic for specified VLAN Name-<tagged/untagged(1 or 2)><VLAN Name String>
Ingress-Filters1Drop ingress traffic for VIDs not enabled for egressEnabled1

Alternate HP VSAs for Microsoft RADIUS servers (will be available in future versions of K15)

RADIUS AttributeTimes UsedDescriptionValue StringValue
HP-Egress-VLANID (11.64)1-*Alternate VSA for Egress-VLANID-<tagged/untagged(0x31 or 0x32)>000<VLAN_ID (as hex)>
HP-Egress-VLAN-Name (11.65)1-*Alternate VSA for Egress-VLAN-Name-<tagged/untagged(1 or 2)><VLAN Name String>

The value of Egress-VLANID is a bit string, the first 8 bits specify whether the VLAN is tagged or untagged and must be either 0x31 (tagged) or 0x32 (untagged). The next 12 bits are padding 0x000, and the final 12 bits are the VLAN ID as an integer value. For example the value to set VLAN 17 as a tagged egress VLAN would be 0x31000011.

Note: It is not possible to specify the ingress untagged VLAN with RFC 4675 attributes, so RFC 3580 attributes must be used instead.

Ingress-Filters VSA is ignored by all HP ProCurve switches

The default switching 'philosophy' of ProCurve switches is to filter ingress packets based on the egress VLAN membership of a port, this goes against the 802.1Q standard, which requires that frames be allowed to ingress, even if their tag does not match a VLAN the port is a member of.Supporting this attribute (i.e. allowing promiscuous ingress) would break the ProCurve switching philosophy, and so this attribute is ignored.

Exemple for single tagged VLAN, MAC-based:

This entry will assign the port to the single tagged VLAN of ID 451. With use of an expr, it is possible to use integer addition to show the composition of the bit string, with the leading 0x31 for tagged VLAN, the 0x000 padding and the VLAN ID.

Exemple for single untagged and multiple tagged VLANs, MAC-based:

This entry will assign the port to the single untagged VLAN of ID 664 and to four tagged VLANs of IDs 451 to 454. Note the use of the +=operator for multiple instances of the same attribute.

Dynamic CoS (802.1p) Remapping

RADIUS AttributeTimes UsedDescriptionValue StringValue
HP-COS (11.40)1Assign 802.1p priority to all inbound packets on port-<CoS_0><CoS_1><CoS_2><CoS_3><CoS_4><CoS_5><CoS_6><Cos_7>

The VSA 'HP-COS' or the RFC 4674 attribute 'User-Priority-Table' can be used to write an 802.1p CoS value into the 802.1Q header of all packets received on port-access authenticator enabled port. This attribute should contain the desired CoS priority (as a string) repeated 8 times. The reason for the repetition is that this attribute is meant to form a map to translate different COS priorities in packets egressing on the port. Unfortunately this feature has not yet been implemented in hardware, so whatever value is used for the first (left most) byte is applied for all priorities.

  • If the packet ingresses into the switch from the client on an untagged VLAN, the priority assigned to CoS_0 will be used.

  • If the packet then egresses from the switch as a tagged VLAN, the switch will honour the CoS value and forward the packet with the CoS value written into the 802.1Q header.

  • If the packet egresses from the switch as an untagged VLAN, the switch will honour the CoS value, but forward the packet with no CoS value attached. This is because the CoS value can only be written to the 802.1Q header, which is stripped if the packet is forwarded untagged.

802.1p based QoS is enabled by default on ProCurve switches, and cannot be disabled (except on I & M F/W switches). The eight possible 802.1p priority values are aggregated into four port-based outbound queues, which are applied as the packet egresses from the switch.

802.1p ValueTraffic classification (recommended)Outbound QueueQueue priority
1Background1Low
2Spare1Low
0Best Effort2Normal
3Excellent Effort2Normal
4Controlled Load3High
5Video3High
6Voice4Critical
7Network Control4Critical

Note: On K series the 8 802.1p priorities are not aggregated and map to 8 different queues

Note: HP-COS attribute is honoured by both the WMA and the 802.1X authenticator, although the 'show port-access mac-based' command in some branches does not show the override.

Note: There's no way to write a CodePoint value to the DiffServ/ToS field of IPv4 packets using dynamic assignment. HP-COS affects 802.1p priority only.

DHCP-Snooping and WMA/802.1X bridge

This feature is available on all platforms >=2600 series. When DHCP-Snooping and WMA/802.1X are enabled concurrently the IP address of the client learned in by DHCP-Snooping is included in the Framed-IP-Address attribute of all Accounting-Request packets.

In the current implementation this introduces a delay of ~60 seconds between the client being authenticated and the first Accounting Start packet being sent.

Unfortunately there is no method to disable this bridging feature so if reliable accounting times are required it is recommended not to enable DHCP-Snooping.

RADIUS AttributeTimes UsedDescriptionValue StringValue
Framed-IP-Address1IP Address learned via DHCP-Snooping-<ip_oct1>.<ip_oct2>.<ip_oct3>.<ip_oct4>

Note: The Acct-Delay-Time attribute included in Accounting-Requests is not properly incremented, so accounting times really will be off by ~60 seconds

GVRP and Dynamic VLAN assignment

In addition to being able to assign statically configured VLANs, GVRP learned VLANs are also available for dynamic assignment.

Enable the use of GVRP learned VLANs with dynamic VLAN assignment

Default edge port GVRP settings are insecure, and may allow circumvention of network policy.

The default setting for the interface unknown-vlan option is learn, this allows GVRP enabled clients to gain access to additional tagged VLANs once the port is in an open state. This is often undesirable from a security standpoint, so the unknown-vlan option should be set to disable on all port-access authenticated edge ports.

Note: If a GVRP VLAN is no longer advertised to the switch, all clients assigned that VLAN will be forced to re-authenticate.

Administrative interface authentication

On most HP Procurve switches there are two levels of authorised access, ‘Operator’ access and ‘Manager’ access.

  • Operator access allows the user to view most of the vital stats of the switch (using the show commands), but will not allow them to make any potentially dangerous changes (such as modify the configuration).

  • Manager (enabled) access allows the user to perform any supported operation.

When a user attempts to authenticate, the users password is encrypted (using a shared secret between the NAS and RADIUS server) and sent in an access request packet as the User-Password attribute. The username is sent as the User-Name attribute, along with a desired Service-Type. Most ProCurve switches only support PAP for authentication on their management interfaces, though as of K.13.51, PEAP-MSCHAPv2 is supported as an authentication method for management on K branch switches.

Example (PAP Login):

Example (PAP Enable):

Typically the request Service-Type will be NAS-Prompt-User, however if the user either demotes themselves by exiting the administrative session, and tries to escalate themselves to manager; or logs in as an operator and tries to escalate to manager; the switch will send Administrative-User as the requested Service-Type.

The RADIUS server will then authenticate the user and respond with either an Access-Accept or Access-Reject packet.For authentication to succeed, Access-Accept packets must also contain a Service-Type attribute corresponding to the desired privilege level.

Access LevelRADIUS AttributeTimes UsedDescriptionValue StringValue
OperatorService-Type1The user should be provided a command prompt on the NAS from which non-privileged commands can be executed.NAS-Prompt-User7
ManagerService-Type1The user should be granted access to the administrative interface to the NAS from which privileged commands can be executed.Administrative-User6
No Access/Access rejectService-Type1To deny access, either send an Access-Reject, or omit the Service-Type attribute (only works when Privilege-Mode is enabled).--

ProCurve administrative interface authentication special features

Hp Switch Igmp Snooping

Privilege-Mode

With all newer (>2600) ProCurve switches, the switch can be instructed to respect the Service-Type sent back from the RADIUS server. In older models an administrator would first authenticate to gain access to the switch, and then again when enabling administrative commands.

Note: The privilege-mode feature is not included in the 2500/6108 series.

Enable privilege-mode

Accounting command logging

Hp Procurve Igmp Snooping

With all newer (>2600) ProCurve switches, the switch can send all commands executed during a session to a RADIUS server in the form of Accounting-Request (Interim-Update) packets.

The command executed will be written to the HP-Command-String VSA.

Note: The account command logging feature is not included in the 2500/6108 series.

Example:

Enable command logging

RFC 3576 Change of Authorisation & Disconnect Message

RFC3576 operation is currently supported on all K and W branch switches. It is considered to be a 'premium' feature, so is unlikely to be backported, or included in lower end switch models.

A RADIUS request with a Code of either 40 (Disconnect Request) or 43 (CoA Request) is sent to UDP port 3799 (default) on the switch. This request must include attributes that identify the NAS, attributes that identify the session, and in the case of CoA, attributes that form the new authorisation profile.RFC 3576 also recommends that an Event-Timestamp attribute be present for replay protection purposes, and that there be a maximum (default) delta of 300 seconds between the NAS time and the Event-Timestamp attribute included in the request.

Note: HP switches will silently discard any CoA or DM requests that do not have a valid Event-Timestamp attribute, this behaviour may be disabled on a server by server basis (see below for example).

Session-identification attributes

All CoA/DM requests must contain at least one set of Session-Identification attributes.

RADIUS AttributeTimes UsedDescriptionValue StringValue
User-Name1User-Name provided in Access-Accept, or used in Authentication-<user-name>
Acct-session-Id1Accounting session ID provided in Accounting-Requests-<session_id>

OR

RADIUS AttributeTimes UsedDescriptionValue StringValue
User-Name1User-Name provided in Access-Accept, or used in Authentication-<user-name>
Calling-Station-Id1Clients Mac-Address (hyphens must be used to delimit octets)-<oct1>-<oct2>-<oct3>-<oct4>-<oct5>-<oct6>

OR

RADIUS AttributeTimes UsedDescriptionValue StringValue
User-Name1User-Name provided in Access-Accept, or used in Authentication-<user-name>
Calling-Station-Id1Clients Mac-Address (hyphens must be used to delimit octets)-<oct1>-<oct2>-<oct3>-<oct4>-<oct5>-<oct6>
NAS-Port-Id1Port on which the client is authenticated e.g. 1 or A1 (modular)-<port>

If using Mac-Auth the User-Name attribute must match the User-Name provided in the Access-Request.

NAS-Identification attributes

Hp procurve switch firmware

All CoA/DM requests must contain at least one NAS-Identification attribute (NAS-IP-Address appears to be the only one supported so far).

RADIUS AttributeTimes UsedDescriptionValue StringValue
NAS-IP-Address1Source IP for RADIUS requests (sent from the switch)-<ip-address>

Authorisation attributes

At least one of these attribute/attribute sets must be present in the CoA request else the NAS will return a CoA-NAK (Missing-Attribute). No authorisation attributes must be included in the disconnect message else the NAS will return a DM-NAK (Unsupported-Attribute).

RADIUS AttributeTimes UsedDescription
Session-Timeout1Number of seconds between client re-authentication (integer)
Tunnel-Type=VLAN,Tunnel-Medium-Type=IEEE-802,Tunnel-Private-Group-Id=1PVID assignment/alteration
Egress-VLANID1+Tagged VLAN assignment (octets)
Egress-VLAN-Name1+Tagged VLAN assignment (string)
HP-Bandwidth-Max-Ingress1Percentage of port bandwidth allowed for ingress
HP-Bandwidth-Max-Egress1Percentage of port bandwidth allowed for engress
HP-NAS-Filter-Rule1+ACE (multiple attribtues form ACL) applied to client

Hp Switch Dhcp-snooping Trust

Note: ProCurve switches do not support reauthorization using the 'Service-Type = Authorization-Only' AVP

Switch configuration

Hp Procurve Firmware

Add radius-server as CoA originator

Add dedicated CoA originator

Disable Event-Timestamp check (if required)

Radclient DM example

Radclient CoA example

This changes example_user's PVID to 2 and remaps all incoming 802.1p priorities to 7.

Configuration - Wired switches

You must have manager access on the target switch and have enteredconfiguration mode to run the following commands.

Most ProCurve wired switches >= 2600 series will support all or a subset of these commands.

Add servers

Set Server Parameters

Set general port-access Parameters

Note: Enabling the use of GVRP vlans is optional.

Enable RADIUS Authentication on administrative interfaces

Enabling 802.1X/MAC dual authentication on selected ports (single client)

Enable Accounting

Hints and tips

  • If dual authentication is used with different logoff-period timer values, timer behaviour is unpredictable.In older versions of K series firmware, and all other branches, the logoff-period timer for both 802.1X and WMA was implemented using a single H/W timer. If different values were used for the logoff-period timers in 802.1X and WMA, the timer would reflect the value set by the last authenticator to be initialised. For predictable behavior it is higly recommended that the same value be used for both, if either of the authenticator logoff-period timers are changed from their default of 300 seconds.

  • The use of port-based 802.1X and WMA concurrently is not recommended, not well supported, and not allowed in recent versions of K branch software. It is recommended to set a 802.1X client limit of 1 or more when using concurrent authentication. This puts the port into client-based 802.1X mode.

  • The default logoff-period is too low for embedded devices such as printers that may 'sleep' for long periods; if the value is not increased devices that enter a sleep/power-saving mode may become unreachable. It's recommended that devices using Mac-Auth also run a DHCP client, to ensure that they periodically wake up and send packets to the authenticating switch, thus keeping their session alive.

  • For security reasons it's better to implement dual authentication with 802.1X and Mac-Auth instead of configuring an unauth-vid. This allows the RADIUS server ultimate control over whether data from a device is allowed to ingress onto the network.

Known Issues

Many, always update to the latest firmware.

See Also