Print | Rate this content

HP 5500/5800/7500 Switch Series - How to Make dot1x and mac Authentication Enable on the Port with Guest vlan Feature

Information

For a secured wired-access, the dot1x authentication is used to authenticate the normal PC based on the domain user name. While the mac authentication is used to authenticate the phone/printer or other non-dot1x client based on their mac address.

To provide further flexibility, user would like to have both dot1x authentication and mac authentication enable on the same time. Therefore if a dot1x capable device connects to the port, dot1x authentication occurs. If a non-dot1x device connects to the port, without receiving any EAP response, the switch will use the connected mac-address to authenticate the device.

This document is to explain:

  1. How to make both dot1x authentication and mac authentication enable at the same on the switch port?

  2. If either dot1x authentication or mac authentication fail, the device will be placed into a guest vlan with limited access to the network.

Details

To enable dot1x authentication and mac authentication on the switch port at the same time, port security must be enabled, instead of using dot1x or mac-authentication. Also the port security mode needs to be user login-secure-or-mac. To enable the guest vlan for dot1x and mac authentication, the switch port need to be hybrid mode instead of access mode, with mac-vlan enable.

A successful example is provided as below:

The guest vlan of mac authentication and dot1x authentication can be the same or different.



#
port-security enable
#
dot1x authentication-method eap
#
mac-authentication domain abca
#
radius scheme abc
primary authentication 192.168.1.1
primary accounting 192.168.1.1
key authentication 12345
key accounting 12345
user-name-format without-domain
nas-ip 192.168.1.10
#
domain test
authentication lan-access radius-scheme abc
authorization lan-access radius-scheme abc
accounting lan-access radius-scheme abc
access-limit disable
state active
idle-cut disable
self-service-url disable
#
interface GigabitEthernet1/0/1
port link-type hybrid
port hybrid vlan 1 untagged
mac-vlan enable
stp edged-port enable
mac-authentication guest-vlan 99
port-security max-mac-count 2
port-security port-mode userlogin-secure-or-mac
dot1x re-authenticate dot1x guest-vlan 99
undo dot1x handshake
dot1x mandatory-domain test
undo dot1x multicast-trigger


Provide feedback

Please rate the information on this page to help us improve our content. Thank you!