- Community Home
- >
- Networking
- >
- Legacy
- >
- Switches, Hubs, Modems
- >
- Re: 802.1x NAS-Port format on ProCurve 2600-PWR
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-07-2008 08:11 AM
тАО11-07-2008 08:11 AM
Framed-MTU = 1480
NAS-IP-Address = 192.168.5.25
NAS-Identifier = "ProCurve Switch 2600-8-PWR"
User-Name = "moe"
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 3
NAS-Port-Type = Ethernet
NAS-Port-Id = "3"
Called-Station-Id = "00-1c-2e-54-47-80"
Calling-Station-Id = "00-1a-4b-6c-42-31"
Connect-Info = "CONNECT Ethernet 100Mbps Full duplex"
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "85"
I'm wondering what NAS-Port refers to. I'm assuming it maps directly to the ifIndex, but I wanted to make sure that it wasn't a dot1dIndex or some other such attribute as they can be different.
In my code, I need to map the port provided in the radius request to existing port models that are indexed by the ifIndex. That's why I want to be sure that is what this is referring to.
Thanks in advance!
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-12-2008 12:23 PM
тАО11-12-2008 12:23 PM
Re: 802.1x NAS-Port format on ProCurve 2600-PWR
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-13-2008 01:57 AM
тАО11-13-2008 01:57 AM
SolutionThis attribute indicates the maximum size of an IP packet that may be
transmitted over the wire between the Supplicant and the Authenticator.
IEEE 802.1X authenticators set this to the value corresponding to the
relevant 802 medium, and include it in the RADIUS Access-Request. For
EAP over IEEE 802 media, the Framed-MTU values (which do not include
LLC/SNAP overhead) and maximum frame length values (not including the
preamble) are as follows:
Maximum Frame
Media Framed-MTU Length
========= =============== ==============
Ethernet 1500 1522
802.3 1500 1522
802.4 8174 8193
802.5 (4 Mbps) 4528 4550
802.5 (16 Mbps) 18173 18200
802.5 (100 Mb/s) 18173 18200
----------------------------------------------------------------------
NAS-IP-Address = 192.168.5.25
For use with IEEE 802.1X, the NAS-IP-Address contains the IPv4 address
of the bridge or Access Point acting as an Authenticator. If the IEEE
802.1X authenticator has more than one interface, it may be desirable to
use a loopback address for this purpose so that the Authenticator will
still be reachable even if one of the interfaces were to fail.
-----------------------------------------------------------------------
NAS-Identifier = "ProCurve Switch 2600-8-PWR"
This attribute contains a string identifying the IEEE 802.1X
Authenticator originating the Access-Request.
------------------------------------------------------------------------
User-Name = "moe"
In IEEE 802.1X, the supplicant typically provides its identity via an
EAP-Response/Identity message. Where available, the supplicant identity
is included in the User-Name attribute, and included in the RADIUS
Access-Request and Access-Reply messages as specified in [4].
Alternatively, where Service-Type=Call Check, the User-Name attribute
contains the Calling-Station-ID value, which is set to the Supplicant
MAC address.
----------------------------------------------------------------------
Service-Type = Framed-User
For use with IEEE 802.1X, only the Framed (2), Authenticate Only (8),
and Call Check (10) values have meaning.
---------------------------------------------------------------------
Framed-Protocol = PPP
Since there is no value for 802 media, the Framed-Protocol attribute is
not used by IEEE 802.1X authenticators.
----------------------------------------------------------------------
NAS-Port = 3
For use with IEEE 802.1X, NAS-Port-Type values of Ethernet (15) Wireless
- IEEE 802.11 (19), Token Ring (20) and FDDI (21) may be used.
------------------------------------------------------------------------
NAS-Port-Type = Ethernet
For use with IEEE 802.1X, NAS-Port-Type values of Ethernet (15) Wireless
- IEEE 802.11 (19), Token Ring (20) and FDDI (21) may be used.
------------------------------------------------------------------------
NAS-Port-Id = "3"
This attribute is used to identify the IEEE 802.1X Authenticator port
which authenticates the Supplicant. The NAS-Port-Id differs from the
NAS-Port in that it is a string of variable length whereas the NAS-Port
is a 4 octet value
------------------------------------------------------------------------
Called-Station-Id = "00-1c-2e-54-47-80"
For IEEE 802.1X authenticators, this attribute is used to store the
bridge or Access Point MAC address in ASCII format, with octet values
separated by a "-". Example: "00-10-A4-23-19-C0".
Calling-Station-Id = "00-1a-4b-6c-42-31"
-------------------------------------------------------------------------
Connect-Info = "CONNECT Ethernet 100Mbps Full duplex"
This attribute is sent by a bridge or Access Point to indicate the
nature of the Supplicant's connection. When sent in the Access-Request
it is recommended that this attribute contain information on the speed
of the Supplicant's connection. For 802.11, the following format is
recommended: "CONNECT 11Mbps 802.11b" or "CONNECT 54Mbps 802.11a". If
sent in the Accounting STOP, this attribute may be used to summarize
statistics relating to session quality. For example, in IEEE 802.11, the
Connect-Info attribute may contain information on the number of link
layer retransmissions. The exact format of this attribute is
implementation specific.
-------------------------------------------------------------------------
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "85"
Tunnel attributes
Reference [20] defines RADIUS tunnel attributes used for authentication
and authorization, and reference [21] defines tunnel attributes used for
accounting. Where the IEEE 802.1X Authenticator supports tunneling, a
compulsory tunnel may be set up for the Supplicant as a result of the
authentication.
In particular, it may be desirable to allow a Supplicant to be placed
into a particular Virtual Lan (VLAN) based on the result of the
authentication. The RADIUS server typically indicates the desired VLAN
by including tunnel attributes within the Access-Accept. However, the
IEEE 802.1X Authenticator may also provide a hint as to the VLAN to be
assigned to the Supplicant by including Tunnel attributes within the
Access-Request. For use in VLAN assignment, the following tunnel
attributes are sent:
Tunnel-Type=VLAN (13)
Tunnel-Medium-Type=802
Tunnel-Private-Group-ID=VLANID
Note that the VLANID is 12-bits, taking a value between 0 and 4095,
inclusive. Since the Tunnel-Private-Group-ID is of type String as
defined in [20], for use with IEEE 802.1X, the VLANID is encoded as a
string, rather than an integer.
6. Security considerations
Since this draft describes the use of RADIUS for purposes of
authentication authorization and accounting in IEEE 802.1X-enabled
networks, it is vulnerable to all of the threats that are present in
other RADIUS applications, with one exception. For a discussion of
these threats, see [6].
Since IEEE 802.1X does not support PAP or CHAP authentication, the
RADIUS User-Password hiding mechanism is not utilized to hide user
passwords. As noted in [4], there are doubts about the security of this
mechanism.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-13-2008 05:22 AM
тАО11-13-2008 05:22 AM
Re: 802.1x NAS-Port format on ProCurve 2600-PWR
Does it map to the ifIndex of that port? Or is it something else? I've seen many cases where a port index can be a certain value in one mib, and a completely different value in another ( dot1d mib vs if mib for example). I'm just looking to figure out what it is referring to for this particular device.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-14-2008 04:13 AM
тАО11-14-2008 04:13 AM