- Community Home
- >
- Networking
- >
- IMC
- >
- Re: 802/MAC authentication test resultsThe attache...
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-30-2014 05:23 PM
10-30-2014 05:23 PM
802/MAC authentication test resultsThe attached
In one of my previous posts we ended up discussing the behaviors of expiration, cancel, kick out. I decided to test these out as I move to migrate my existing 802 user base and also accomodate guests, wired and wireless. I wanted to be sure I could deactivate visitors and keep them offline.
All my access switches are procurve models. I tested on a 2915-8G running A.15.14.0007 firmware which is recent.
My test clients are an 802.1x user registered via LDAP (MS AD 2008) and a MAC client, created from the authentication failure log.
The switch was set for 802 and MAC auth with a reauth period of 10 mins. I have an unauth vlan set for connecitivty for failed authentication.
The attached spreadsheet has a table of the results. Comments provide some extra detail
Enable or disable at the port level is clear - the switch and imc are consistent.
A user can't be canceled or temproarily canceled while on line so they must be disconnected first.
Kick out seems like a logical choice - it sends a disconnect command to the switch, and the users do show as disconnected at the switch Pings are interupted. And they are removed from online list in IMC. Temporarily.
They will reauthenticate to the switch and then back in imc as well. Time it takes varies, but 802 is quicker than MAC.
I tried using that offline interval to cancel a user after kicking them out. The interval is long enough for the MAC client but too short for the 802 client. Doesn't help that Kick out and cancel or temp cancel are not on the same page - the time it takes to navigate between them, find and select the user is too long.
Blacklisting was next. Blacklist by itself sets the status for the next change, but by itself won't take any further action, so a kick out is required to activate the blacklist setting. This works for both types of authentication and persists. Yeah!
Unblacklisting also depends on activation. The reauth period timer successfully reopened the port and connected the clients.
Expiration was also tested. I set the client accounts to expire at a specific time. At that time the clients were still authenticated and connected, both at the switch and imc. Waiting for a couple of reauth periods did not change that. So expiration is only functional if the port or client interface are disabled and subsequently re-eanbled.
Once an account was expired then re-inspired, and the ports closed from authentication failure, I waited to see what would happen with the reauth timer.
Both the switch and IMC did reauthenticate after the timer expired, however the MAC client did not successfully send out/respond to dhcp to move from the unauth vlan to auth vlan provsioned by the service. Not sure if this is related to the switch or the client.
The granularity of the state changes is dependent on the reauth timer if you want a quick response to changes. I have set these times much higher in my current implementation to reduce authentication traffic. But may need to use a shorter interval.
Some of these functions did not behave as I would have expected. Expiration should respond after the reauth period expires. Cancel and temp cancel are not functional until the user is off line. Blacklist combined with kick out is the most useful.
Its hard to tell from the docs exactly how these are supposed to behave, so I needed this to sort it out - hopefully helps some one else as well.
Now to figure out the best way to register the guest MACs...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-19-2014 06:11 PM
11-19-2014 06:11 PM
Re: 802/MAC authentication test resultsThe attached
Thanks for sharing!