Acl Assignment; User Profile Assignment; Periodic Mac Reauthentication; Configuration Prerequisites - HP FlexFabric 5700 Series Security Configuration Manual
Hide thumbs
Also See for FlexFabric 5700 Series:
- Configuration manual (185 pages) ,
- Configuration manual (63 pages) ,
- Configuration manual (132 pages)
Table of Contents
ACL assignment
You can specify an authorization ACL in the user account for a MAC authentication user to control the
user's access to network resources. After the user passes MAC authentication, the authentication server
(local or remote) assigns the authorization ACL to the access port of the user. The ACL will filter traffic for
this user. You must configure ACL rules for the authorization ACL on the access device for the ACL
assignment feature.
To ensure a successful ACL assignment, make sure the ACL does not contain rules that match source MAC
addresses.
To change the access control criteria for the user, you can use one of the following methods:
Modify ACL rules on the access device.
•
Specify another authorization ACL on the authentication server.
•
For more information about ACLs, see ACL and QoS Configuration Guide.
User profile assignment
You can specify a user profile in the user account for a MAC authentication user to control the user's
access to network resources. After the user passes MAC authentication, the authentication server assigns
the user profile to the user to filter traffic for this user. The authentication server can be the local access
device or a RADIUS server. In either case, you must configure the user profile on the access device.
To change the user's access permissions, you can use one of the following methods:
Modify the user profile configuration on the access device.
•
•
Specify another user profile for the user on the authentication server.
For more information about user profiles, see
Periodic MAC reauthentication
Periodic MAC reauthentication tracks the connection status of online users, and updates the authorization
attributes assigned by the RADIUS server. The attributes include the ACL, VLAN, and user profile-based
QoS.
The device reauthenticates an online MAC authentication user periodically only after it receives the
termination action Radius-request from the authentication server for this user. The Session-Timeout
attribute (session timeout period) assigned by the server is the reauthentication interval. To display the
server-assigned Session-Timeout and Termination-Action attributes, use the display mac-authentication
connection command. Support for the server configuration and assignment of Session-Timeout and
Termination-Action attributes depends on the server model.
When no server is reachable for MAC reauthentication, the device keeps the MAC authentication users
online or logs off the users, depending on the keep-online feature configuration on the device. For
information about the keep-online feature, see
Configuration prerequisites
Before you configure MAC authentication, complete the following tasks:
"Configuring user
profiles."
"Configuring the keep-online
104
feature."
- Quick Links:
- Configuring Local Users
Hide quick links:
Table of Contents
Troubleshooting
