Ethernet 802.1X configuration – HP
In this topic, you will learn how to configure selected HP switches to work together with Portnox™ Cloud and 802.1X RADIUS authentication for wired Ethernet connections.
HP ProCurve (generic)
In this section, you will learn how to configure the HP ProCurve switches to work together with Portnox™ Cloud and 802.1X RADIUS authentication for Ethernet connections.
-
Specify a RADIUS server for authentication and accounting using the data of the
Portnox Cloud US RADIUS server.
radius-server host 20.119.69.248 key rTHO9HEo9BcqfC9Yg0hHFelK6o0tH8N1 auth-port 10322 acct-port 10323
-
Specify a RADIUS server for authentication and accounting using the data of the Portnox Cloud EU RADIUS
server.
radius-server host 52.232.122.157 key fnSrSEHhXFZ5Rqpz756NJhkeVqIHTlPt auth-port 10476 acct-port 10477
-
Enable 802.1X authentication using EAP via a RADIUS server for port access.
aaa authentication port-access eap-radius
-
Enable 802.1X authentication on ports 1 to 4.
aaa port-access authenticator 1-4
-
Enable MAC-based authentication on ports 5 to 8.
aaa port-access mac-based 5-8
-
Configure directional control.
This command controls transmissions before authentication: both: inbound and outbound transmission is blocked, in: inbound traffic from the endpoint is blocked.
aaa port-access 1-8 controlled-direction both
-
Activate 802.1X on the switch.
aaa port-access authenticator active
Here is the entire example configuration for your convenience:
radius-server host 20.119.69.248 key rTHO9HEo9BcqfC9Yg0hHFelK6o0tH8N1 auth-port 10322 acct-port 10323
radius-server host 52.232.122.157 key fnSrSEHhXFZ5Rqpz756NJhkeVqIHTlPt auth-port 10476 acct-port 10477
#
aaa authentication port-access eap-radius
#
aaa port-access authenticator 1-4
aaa port-access authenticator 1-4 auth-vid 10
aaa port-access authenticator 1-4 client-limit 20
#
aaa port-access mac-based 5-8
aaa port-access mac-based 5-8 addr-limit 15
aaa port-access mac-based 5-8 auth-vid 20
aaa port-access mac-based 5-8 unauth-vid 30
#
aaa port-access 1-8 controlled-direction both
aaa port-access authenticator active
HP 5130 HPE Comware 7
In this section, you will learn how to configure the HP 5130 HPE Comware 7 switch to work together with Portnox™ Cloud and 802.1X RADIUS authentication for Ethernet connections.
-
Define a new RADIUS scheme in the configuration, which will be used to set up and
reference specific RADIUS servers for authentication purposes.
-
Set the default domain and configure the default domain to use the RADIUS scheme created in the previous step for
authentication, authorization, and accounting.
-
Enable 802.1X globally, set EAP as the 802.1X authentication
method, and set the 802.1X timers to allow for a quicker MAC-based authentication (approximately 20 seconds from the
initial EAPOL exchange).
-
Configure the switch interfaces for 802.1X and MAC-based authentication.
Note: Trunks cannot be configured as 802.1X ports. Any port acting as a trunk/uplink should not be configured for 802.1X, as it will negatively impact network connectivity. 802.1X can only be configured on access ports.
Here is the entire example configuration for your convenience:
radius scheme portnox
primary authentication 20.119.69.248 10322 key cipher rTHO9HEo9BcqfC9Yg0hHFelK6o0tH8N1
primary accounting 20.119.69.248 10323 key cipher rTHO9HEo9BcqfC9Yg0hHFelK6o0tH8N1
secondary authentication 52.232.122.157 10476 key cipher fnSrSEHhXFZ5Rqpz756NJhkeVqIHTlPt
secondary accounting 52.232.122.157 10477 key cipher fnSrSEHhXFZ5Rqpz756NJhkeVqIHTlPt
accounting-on enable
user-name-format without-domain
domain default enable system
domain system
authentication lan-access radius-scheme portnox
authorization lan-access radius-scheme portnox
accounting lan-access radius-scheme portnox
dot1x
dot1x authentication-method eap
dot1x quiet-period
dot1x timer quiet-period 20
dot1x timer tx-period 10
mac-authentication
interface GigabitEthernet 0/1
stp edged-port
dot1x
undo dot1x handshake
undo dot1x multicast-trigger
dot1x mandatory-domain system
dot1x unicast-trigger
dot1x re-authenticate server-unreachable keep-online
mac-authentication
mac-authentication domain system
mac-authentication re-authenticate server-unreachable keep-online
mac-authentication re-authenticate