This application note explains the use of the IEEE 802.1X standard for Network Access Control, and how to configure IEEE 802.1X on a ProCurve switch.

» Return to top

1.1 Network Access Control methods
Network Access Control relies on different methods to authorize or prevent users and computers to access an enterprise network. ProCurve switches and wireless access points support three access control methods:

• MAC authentication: MAC authentication is the default method for devices that do not support web authentication or 802.1X; these devices are authenticated by their MAC address. For more details about this method and its implementation on ProCurve switches, please refer to Application Note AN-S2, How to configure MAC authentication on a ProCurve switch.
• Web authentication: Web authentication is useful to grant access to visitors, because it does not require any client software on the user machine. It is mainly used in public places, like hotels or airports. For more details about this method and its implementation on ProCurve switches, please refer to Application Note AN-S1, How to configure Web authentication on a ProCurve switch.
• 802.1X: Using 802.1X is the most secure and the most recommended of the three methods. Released as a standard by the IEEE in 2001, 802.1X is an open-standards-based protocol for authenticating network clients on a user-ID basis. It has been implemented by all network vendors. IEEE 802.1X provides automated user identification, centralized authentication, key management, and provisioning of LAN connectivity. It even provides support for roaming access in public areas.

» Return to top

1.2 Benefits of 802.1X
Benefits of 802.1X include:

• Traffic flow on a port is opened up only after a user is authenticated by a RADIUS server.
• 802.1 X enables dynamic VLAN assignment.
• The protocol keeps "guests" under tighter control no matter where they plug in.
• User activity can be accounted for and tracked in a RADIUS server.
• 802.1X authentication provides privileges not only to computers and machines, but also to network services. Upon authorization, 802.1X-capable switches and routers will modify access privileges according to the individual entitlement.

» Return to top

The 802.1X protocol takes the RADIUS methodology and separates it into three distinct groups: the Supplicant, the Authenticator, and Authentication Server. The Supplicant and the Authenticator communicate using the Extensible Authentication Protocol (EAP).

» Return to top

2.1 Supplicant
The Supplicant is the client that requests access to the network. Typically, a supplicant is a user workstation, but it may be router, a switch, an IP phone, or any other device that is seeking network services. Supplicant software is already implemented natively in some operating systems, including Microsoft Windows XP and Vista, or can be downloaded and added to the PC. Note that in the HP ProCurve implementation, a switch port can also be configured as a supplicant, in order to secure links between network devices.

The configuration of Windows XP and Vista supplicants for 802.1X is described in ProCurve Application Note AN-S3, How to configure 802.1X authentication with a Windows XP or Vista supplicant.

» Return to top

2.2 Authenticator
The Authenticator is the device that provides the entry point for the supplicant into the network. It requires the supplicant to provide 802.1X credentials, which are forwarded to the authentication server. HP ProCurve switches and access points can serve as authenticators.

» Return to top

2.3 Authentication Server
The Authentication Server receives authentication information that originates with the supplicant and verifies the information against its stored name/password pairs. In the HP ProCurve implementation, this is a RADIUS server. In the absence of an external authentication server, a switch can be configured to authenticate 802.1X supplicants using its own local database.

» Return to top

2.4 Authentication with EAP
The Extensible Authentication Protocol (EAP) is defined by the IEEE 802.1X standard as the mechanism that controls interaction between the supplicant and the authenticator. As shown in Figure 1, in the ProCurve implementation, the authenticator is a switch.

To enable 802.1X on a switch port, the port must be configured as a port-authenticator. (See the details of the switch configuration below in section 3.1, “Configure the ProCurve switch”.) Port-authenticators are closed to any type of incoming traffic, except the EAP protocol.

Figure 1. Details of EAP authentication

When the switch sees a client connected on a port-authenticator, it sends an EAP-Identity Request to challenge the user for credentials. The PC replies with its username/password or certificate, and the switch forwards the information to the RADIUS server. Then the switch merely passes messages between the Supplicant and the RADIUS Server, who directly negotiate the type of EAP protocol and the authentication parameters to use.

If the supplicant credentials match the information known in the RADIUS database (a local database or directory—for example, Active Directory in the Microsoft world), the RADIUS server sends a RADIUS Accept message back, and the switch sends the Supplicant an EAP-Success message and opens the port for data transfer. Once the supplicant has been authenticated by the RADIUS server, other tools can be used to add further control on the supplicant.

» Return to top

2.5 EAP versions
The EAP version known as EAP-MD5 is an open standard. It relies on the MD5 hashing algorithm, which offers only comparatively weak security. (For example, it can be cracked by a dictionary attack.) This EAP version may be secure enough for wired authentication, but should not be considered secure on a wireless network.

Another open standard is EAP-TLS. This version of the protocol offers a good security, because it relies on two certificates: one on the client side and one on the server side. However, the implementation of EAP-TLS can be complicated because of the management required for the many certificates it requires.

EAP- TTLS (Tunneled Transport Layer Security) is another open standard that offers a good security; it requires X509 certificates on the server side only. (Certificates on the client side are optional.) It is not natively implemented on Microsoft systems.

PEAP (Protected EAP) is an open standard that exists in two versions: PEAPv0/EAP-MSCHAPv2 and PEAPv1/EAPGTC. The PEAP protocol performs authentication in two phases: Phase 1 authenticates the server with a PKI (Public Key Infrastructure), and creates a secure tunnel to encrypt the data exchange for Phase 2. Phase 2, in turn, identifies the client through the encrypted tunnel.

LEAP (Lightweight Extensible Authentication Protocol) is a Cisco-proprietary version. EAP-Fast is also a Cisco version. Designed to correct weaknesses in LEAP, it utilizes a three-phase authentication scheme, and is defined as a draft in IETF.

EAP-SIM (Subscriber Identity Module) is a method used to distribute keys in the GSM network, while EAP-AKA (Authentication and Key Agreement) is used for UMTS networks.

» Return to top

» Return to top

3.1 Configure the ProCurve switch
To configure the switch, first you define the RADIUS server on the switch, then you specify the authentication protocol to use. Next you define the port-authenticator ports, and finally you activate those ports.

Here is an example of the commands used to configure a ProCurve switch:

» Return to top

3.2 Configure the RADIUS server
In configuring the RADIUS server, the switches that will serve as authenticators must first be defined as RADIUS clients. Then a remote access policy must be defined: this policy should specify the EAP protocol version to use, the necessary groups, and the type of connections to authenticate.

For more information about configuring the RADIUS server, refer to the following ProCurve application notes:

• For Microsoft IAS (Windows 2003) configuration, refer to Application Note AN-S1, How to configure Web authentication on a ProCurve switch.
• For Microsoft NPS (Windows 2008) configuration, refer to Application Note AN-S5, Integrating ProCurve IDM and Windows NAP.

» Return to top

The IP phones of most telephony vendors contain an integrated supplicant. The phone typically can be authenticated on the switch port where it is connected, and then be assigned a VLAN through RADIUS attributes or Identity Driven Manager.

4.1 Authenticating a dual-port IP phone
Most IP phones have a dual port where a PC can be connected. This reduces the number of connections to patch for each desk. But the PC and the phone, which are physically plugged on the same port of the switch, have different needs for bandwidth, Quality of Service and access to network resources. Moreover, the PC port on the phone needs to be secured to prevent unauthorized users from connecting through it.

Figure 2. Using multiple 802.1X sessions to authenticate a dual-port IP phone

The solution is to authenticate both the phone and the PC on the same port, and to assign them different profiles (e.g., for VLAN, bandwidth, QoS, and access-lists). ProCurve switches allow this multiple-profile configuration.

» Return to top

4.2 Configure the ProCurve switch with multiple profiles
On the ProCurve switch, the voice VLAN must be tagged and the data VLAN untagged on the port that will be connected to the phone. The data VLAN can be configured statically, or dynamically assigned by Identity Driven Manager. In addition, a client-limit of 3 must be configured on the switch port.

For example:

This concludes the procedure for configuring IEEE 802.1X on ProCurve switches.

» Return to top

• For PCM+ and IDM manuals:
  http://h40060.www4.hp.com/procurve/includes/manuals/index.php?cc=uk&lc=en&content=ProCurve-Manager
  http://h40060.www4.hp.com/procurve/includes/manuals/index.php?cc=uk&lc=en&content=IDM
• For user manuals for ProCurve 3500yl-5400zl-8212zl switches:
  http://h40060.www4.hp.com/procurve/includes/manuals/index.php?cc=uk&lc=en&content=3500-6200-5400-ChapterFiles
• For ProCurve Switch 2610 series manuals:
  http://h40060.www4.hp.com/procurve/includes/manuals/index.php?cc=uk&lc=en&content=2610

» Return to top