HPE Community
TippingPoint
1753804 Members
7781 Online
108805 Solutions
New Discussion

Re: Procurve 2510-24 as NAC

 
Mrxlazuardin
Occasional Contributor

‎01-20-2011 08:27 AM

‎01-20-2011 08:27 AM

Procurve 2510-24 as NAC

Hi,

 

Is what is the best authentication method on ProCurve 2510-24 switches so I can separate many users connected to the same port (for example via standard access point or hub) at the same time to be associated to some VLANs. At least I need two VLANs for grouping the users (Internal and Guest). Below is the topology.

 

Procurve 2510-24 -(single line)- AP/Hub -(many lines)- Users

 

Best regards.

0 Kudos
2 REPLIES 2
jefflj
Frequent Advisor

‎04-20-2011 04:46 PM - edited ‎04-20-2011 04:48 PM

‎04-20-2011 04:46 PM - edited ‎04-20-2011 04:48 PM

Re: Procurve 2510-24 as NAC

Hi, The 2510 allows 2 modes of authentication, port-based and user-based. 

With port-based authentication, whenever a user authenticates, the port is opened for all traffic until that user disconnects (or is de-authenticated in some manner).  This means that anyone who can access the port (i.e. other users on a hub or access point), whether they can authenticate to the network or not,  can access the same network resources that the original user can as long as that original user is authenticated.  In addition, if multiple users try and authenticate, the switch treats each subsequent user, as they log in, as a re-authentication, so the network access is strictly based on the privileges allowed the LAST user to authenticate.  Also, when that last user logs out, all users will be disconnected, then the remaining users may attempt to reauthenticate and as each one does, the privileges will change to that of the latest-authenticated user.   If none of the users can authenticate, the port will remain closed.  This is not an ideal solution for a multiple-user-per-port installation. 

With user-based authentication, each user who connects must provide credentials to the switch and be authenticated prior to being allowed access to network resources.  If a user authenticates and then a second user connects to the port  (via a hub or AP connection) they will not be able to access network resources unless they, too, authenticate.  In addition, each of these users will retain access as long as they are connected and authenticated regardless of whether other users connect or disconnect from the port.   In this way each user can be identified, and can be granted appropriate network access without interfering with other's access.  This is the ideal solution for multiple access installations.

 

One Note:  For each of these modes there are 2 ways to authenticate:  802.1x authentication, using a remote RADIUS server which contains user credentials and access-privilege information, or local authentication, using user information stored locally on the switch.  As part of the authentication process, the users can be directed into different VLANS depending on their access levels and the type of authentication used:  for RADIUS authentication, many types of attributes can be passed back to an authenticated user including VLAN membership.  For both RADIUS and local authentication, the switch can be configured to place the user in an "Auth VLAN" for successfully authenticated users and or an "Unauth VLAN" for users that fail authentication.  With this feature you can allow authenticated users access to your secure network VLAN and unauthenticated users access to a restricted VLAN (i.e.. to get corrected user information, supplicants or access to the internet).  RADIUS attributes returned from a remote RADIUS server will override these settings.

 

Now, specifically for the 2510-24: 

1)This product supports port-based  and user-based authentication; unfortunately it only supports 2 users in user-based authentication mode. 


2)For local authentication, this product will only allow users to authenticate using the username and password of the manager account configured on the switch, which means that in order to use local authentication, your end users will also be able to log in to the switch and change the configuration.  This is not something you want to do in a multi-user environment.

 

So, for what you described, a better solution might be to push authentication out to the AP, using a remote radius server and configuring the AP for multiple SSIDs each mapped to a different VLAN, each of which is tagged on the up link,  Then you can set the switch for port-based authentication, enable the supplicant on the AP  so that it authenticates when it connects.  All users who connect to the AP will the have to authenticate to/through the AP in order to get access.  I would then strongly discourage the use of hubs.

0 Kudos
Mrxlazuardin
Occasional Contributor

‎04-26-2011 10:11 AM

‎04-26-2011 10:11 AM

Re: Procurve 2510-24 as NAC

Hi Jeff,

 

What is the best Procurve products for doing unlimited user based  or MAC based authentication (preferred) with assumption that the APs is only standard AP without multi SSID support? I need to separate authenticated users to specified VLANs based on RADIUS.

 

Best regards,

 

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.