HP ProCurve Switch 5300xl Series Reviewer’s Guide
can be given specific network access rights, such as assignment to a specific VLAN and some high level
session accounting information can be maintained. (See the next section.)
With a centralized RADIUS server doing the actual authentication, a user can log-in anywhere in the
network that supports 802.1x and get access to his resources. This is true whether the log-in occurs on
a shared client, or the user is using a mobile client and accessing the network at different access
points.
One point to note about 802.1x: access control is that it is control to the port of the switch. Once access
is given to the switch port, anyone connected through this port will have access to the services
associated with the user that authenticated. If someone inadvertently, or clandestinely places a switch
or hub between the network access server and the authenticated client, any port on the introduced
switch or hub has access to the configured network services of the authenticated client. One way to
close this shortfall is to use the Port Security MAC Address Lockdown feature on the HP ProCurve
Switch 5300xl Series, which is described in a following section.
More details on 802.1x can be found in the white paper on the HP ProCurve website at
http://www.hp.com/go/hpprocurve
(select the information library).
2.5.2.1 RADIUS Server Accounting
Most RADIUS servers can provide not only authentication for the user, but can also keep track of some
parameters associated with the authenticated user or the switch itself. These parameters are actually
kept on the HP ProCurve Switch 5300xl Series and updated on the RADIUS server at either RADIUS
session begin/end or just at session end.
Three areas of parameters are tracked:
•
Network Accounting – Keeps track of items for an authenticated user on a switch port
such as Account ID, Username, Input and Output Packets, Account Termination
Reason, etc.
•
Exec Accounting – Keeps track of the same items used in Network Accounting, but for
logon sessions under telnet, SSH and console.
•
System Accounting – Keeps track of the same items used in Network Accounting, with
actual recording of the items done on a system event, such as system reboot, system
reset and accounting enable or disable
The primary purpose for RADIUS accounting is to have a security audit trail for user network usage or
when switch events occur that affect the integrity of the network.
RADIUS server accounting can also be used as a rudimentary form of tracking user network usage, but
only covers very high level parameters such as total connect time, or total packets through the user’s
switch port.
2.5.2.2 Standalone RADIUS Authentication
RADIUS authentication can be used without using 802.1x. In this case RADIUS is used to provide user
authentication when telnet, SSH or console port access authentication is required. Up to three RADIUS
servers can be specified to provide backup capability in case the primary RADIUS server becomes
unavailable.
2.5.2.3 RADIUS Functionality - RFCs
RFCs that were used or consulted in the development of the RADIUS functionality are:
•
RFC-2865 - Remote Authentication Dial In User Service (RADIUS)
•
RFC-2869 - RADIUS Extensions
•
RFC-2138 - Extensible Authentication Protocol Support in RADIUS
•
draft-congdon-radius-8021x-09.txt - IEEE 802.1X RADIUS Usage Guidelines
© Hewlett-Packard Co. 2002, 2003
Rev 1.1 – 2/11/2003
http://www.hp.com/go/hpprocurve
Page 21 of 35
Summary of Contents for 5300
Page 34: ......