HP (Hewlett-Packard) 2650 (J4899A/B) Switch User Manual


 
3-13
Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches
General Setup Procedure for Web/MAC Authentication
a. If you configure the RADIUS server to assign a VLAN for an authen-
ticated client, this assignment overrides any VLAN assignments con-
figured on the switch while the authenticated client session remains
active. Note that the VLAN must be statically configured on the
switch.
b. If there is no RADIUS-assigned VLAN, the port can join an “Authorized
VLAN” for the duration of the client session, if you choose to configure
one. This must be a port-based, statically configured VLAN on the
switch.
c. If there is neither a RADIUS-assigned VLAN or an “Authorized VLAN”
for an authenticated client session on a port, then the port’s VLAN
membership remains unchanged during authenticated client ses-
sions. In this case, configure the port for the VLAN in which you want
it to operate during client sessions.
Note that when configuring a RADIUS server to assign a VLAN, you can
use either the VLAN’s name or VID. For example, if a VLAN configured in
the switch has a VID of 100 and is named vlan100, you could configure the
RADIUS server to use either “100” or “vlan100” to specify the VLAN.
4. Determine whether to use the optional “Unauthorized VLAN” mode for
clients that the RADIUS server does not authenticate. This VLAN must be
statically configured on the switch. If you do not configure an “Unauthor-
ized VLAN”, the switch simply blocks access to unauthenticated clients
trying to use the port.
5. Determine the authentication policy you want on the RADIUS server and
configure the server. Refer to the documentation provided with your
RADIUS application and include the following in the policy for each client
or client device:
The CHAP-RADIUS authentication method.
An encryption key
One of the following:
If you are configuring Web-based authentication, include the user
name and password for each authorized client.
If you are configuring MAC-based authentication, enter the
device MAC address in both the username and password fields of
the RADIUS policy configuration for that device. Also, if you want
to allow a particular device to receive authentication only
through a designated port and switch, include this in your policy.
6. Determine the IP address of the RADIUS server(s) you will use to support
Web- or MAC-based authentication. (For information on configuring the
switch to access RADIUS servers, refer to “Configuring the Switch To
Access a RADIUS Server” on page 3-15.)