78
from this user. The authentication server can be the local access device or a RADIUS server. In either case,
you must configure the ACL on the access device.
To ensure a successful ACL assignment, make sure the ACL does not contain rules that match source MAC
addresses.
To change the access control criteria for the user, you can use one of the following methods:
•
Modify ACL rules on the access device.
•
Specify another authorization ACL on the authentication server.
For more information about ACLs, see
ACL and QoS Configuration Guide
.
User profile assignment
You can specify a user profile for an 802.1X user to control the user's access to network resources. After
the user passes 802.1X authentication, the authentication server assigns the user profile to the user for
filtering traffic. The authentication server can be the local access device or a RADIUS server. In either
case, you must configure the user profile on the access device.
To change the user's access permissions, you can use one of the following methods:
•
Modify the user profile configuration on the access device.
•
Specify another user profile for the user on the authentication server.
For more information about user profiles, see "
."
EAD assistant
Endpoint Admission Defense (EAD) is an HP integrated endpoint access control solution to improve the
threat defensive capability of a network. The solution enables the security client, security policy server,
access device, and third-party server to operate together. If a terminal device seeks to access an EAD
network, it must have an EAD client, which performs 802.1X authentication.
EAD assistant enables the access device to redirect a user who is seeking to access the network to
download and install an EAD client. This feature eliminates the administrative task to deploy EAD clients.
The EAD assistant feature is implemented by the following functionalities:
•
Free IP.
A free IP is a freely accessible network segment, which has a limited set of network resources such
as software and DHCP servers. To ensure security strategy compliance, an unauthenticated user
can access only this segment to perform operations. For example, the user can download EAD
client from a software server or obtain a dynamic IP address from a DHCP server.
•
Redirect URL.
If an unauthenticated 802.1X user is using a Web browser to access the network, the EAD
assistant feature redirects the user to a specific URL. For example, you can use this feature to
redirect the user to the EAD client software download page.
The EAD assistant feature automatically creates an ACL-based EAD rule to open access to the redirect
URL for each redirected user.
EAD rules are implemented by using ACL resources. When the EAD rule timer expires or the user passes
authentication, the rule is removed. If users fail to download EAD client or fail to pass authentication
before the timer expires, they must reconnect to the network to access the free IP.