But once you have it working, the time it will save you on OpEx, and the number of security incidents you will reduce, makes it a no-brainer
802.1X works a lot better on many other switch Vendors, but HP has a massive foot print in SMB's and remote offices, and those are the locations where you really need it.
802.1X can be deployed in a few different ways depending on what you want to do.
This guide discusses setting up 802.1X for MAC Address Authentication to dynamically configure the Access port with the correct tagged and untagged VLANs, and port CoS priority based on the MAC address the switch receives.
Web/SSH Client Authentication, is not discussed here but the idea is to authenticate the User, where MAC Auth is for the hardware. If you want to get serious you can do both.. (recommended)
NB; With the advent of USB and Thunderbolt plugable NIC adaptors, MAC based auth is not a secure method, but it can still be used for managing VLAN assignment, and helping with general port level security.
- Provides a centralised MAC<->VLAN management (OpenLDAP).
- Requires communication with central store via RADIUS (FreeRADIUS).
- Utilises standards based RADIUS ‘auth’ and implements the standards based VLAN assignment policies.
- RFC3580 for untagged VLAN assignment and RFC4675 for tagged VLAN assignment.
- Supports per-port CoS assignment via LDAP for QoS (RFC4675).
- Supports many other features including configuring per-port ACLs and rate limiting.
Setup LDAP
LDAP is just one of many data storage back ends which RADIUS supports.
Install OpenLDAP;
aptitude install dkms
aptitude install slapd
aptitude install ldap-utils
We are going to backup and restore a production system into the lab for testing.
On new server move default /etc/ldap/slapd.d out of the way to /etc/ldap/slapd.d.orig
Copy LDAP schema's, certs and slapd.conf (/etc/ldap/*) from the existing OpenLDAP server (/etc/ldap/) to the new one. NB; set permissions to root:openldap on copied files
slapcat > /tmp/my.ldif (on existing LDAP server, dump backup)
slapadd -l /tmp/my.ldif (on new LDAP server LAB CLONE, dump import)
Test the new LDAP server
ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts
- You should now have a standalone Cloned Copy of the current LDAP tree
Setup RADIUS with LDAP
FreeRADIUS provides encryption, and a standardised interface for authentication. LDAP is just the back end, and so we will later connect RADIUS to LDAP, so that RADIUS is doing nothing more than providing the auth protocols for the Switches. RADIUS also has its own data stores, but these are not recommended unless you know what you are doing.Install FreeRADIUS;
aptitude install freeradius
aptitude install freeradius-ldapConfigure OpenLDAP for FreeRADIUS;
cp /usr/share/doc/freeradius/examples/openldap.schema /etc/ldap/schema/radius-openldap.schema
Copy the default ‘freeradius’ LDAP schema into OpenLDAP for inclusion (to provide RADIUS elements to your LDAP objects);
Enable the new schema;
edit /etc/ldap/slapd.conf adding;
include /etc/ldap/schema/radius-openldap.schemaNow lets add some custom HP Specific attributes to the main LDAP schema with the correct data types, so that we can use tokens which fit more nicely with HP's interpretation of the RFC's.
Ensure the attributes ‘radiusHPCoS’ and ‘radiusMacAddress’ are defined and referenced in the local.schema file;
attributetype ( NAME 'radiusHPCoS'
DESC '802.1p CoS mapping'
EQUALITY integerMatch
attributetype ( NAME 'radiusMacAddress'
DESC 'MAC Address'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreSubstringsMatch
MAY ( radiusHPCoS $ radiusMacAddress $ …..
Notice that you need to add “radiusHPCoS $ radiusMacAddress $” not replace the line starting MAY.
service slapd restart
You should now have an LDAP schema which can support many new RADIUS related attributes/properties which can be defined in the LDAP objects.
Configure FreeRadius;
Edit /etc/freeradius/modules/ldap and configure FreeRadius to connect to OpenLDAP on localhost
server = "localhost"
identity = "cn=root,dc=base,dc=runtime-collective,dc=com"
password = <!LDAP Password!>
basedn = "dc=base,dc=runtime-collective,dc=com"
filter = "(radiusMacAddress=%{%{Stripped-User-Name}:-%{User-Name}})"
base_filter = "(objectclass=radiusprofile)"
ldap_connections_number = 10
Remove the default ldap connection if present;
rm /etc/freeradius/modules/ldap.dpkg-dist
NB; the "filter" statement ensures that the ‘User-Name’ RADIUS attribute maps to the new ‘radiusMacAddress’ LDAP attribute for the LDAP search.
Edit /etc/freeradius/sites-enabled/default uncomment ‘ldap’
Edit /etc/freeradius/sites-enabled/inner-tunnel uncomment ‘ldap’
Edit /etc/freeradius/clients.conf and define all the network clients (Wireless APs, Switches, any devices which need to authorise users/machines);
client {
ipaddr =
secret = testing123
shortname =
nastype = "other"
Configure the RFC3580 Radius attributes, to map onto the new custom LDAP attributes as per local.schema (NB; When running MAC driven AAA port-based authentication, the MAC address of the conencting computer is used for both the User and Pass);
edit /etc/freeradius/ldap.attrmap and add the following lines;
checkItem User-Name radiusMacAddress
checkItem Cleartext-Password radiusMacAddress
replyItem HP-COS radiusHPCoS
service freeradius restart
Configure LDAP Objects
Configure the LDAP client object adding the new attributes with desired VLAN and CoS values;
objectClass: hardwareClass <- Required
objectClass: radiusprofile <- Required
dialupAccess: access_attr <- Required
radiusHPCoS: 3 <- Optional - CoS queue (see table below)
radiusMacAddress: 6805ca07e4ef <- Required - MAC Address (Must be lower-case without any special chars (if you want ":" formatted etc, add commands to the switch))
radiusTunnelMediumType: "IEEE-802" <- Required
radiusTunnelPrivateGroupId: 11 <- Required - Desired VLAN (Decimal) (VLAN must already exist on switches)
radiusTunnelType: VLAN <- Required
Table 1: radiusHPCoS values (optional);
802.1p Value
Traffic Class
Queue (W firmware)
Queue (K firmware)
Best Effort
Excellent Effort
Controlled Load
Network Control
Setup HP Procurve Switches
Configure HP Procurve switches to use RADIUS for Dynamic VLAN assignment;
max-vlans 256 <- Set as high as switch allows
crypto key generate cert 1024
crypto host-cert generate self-signed
radius-server host <- Define multiple times for multiple Radius servers
radius-server key "testing123" <- Radius server encryption key (clients.conf)
aaa accounting update periodic 15 <- Optional - Radius Accounting
aaa accounting exec start-stop radius <- Optional - Radius Accounting
aaa accounting network start-stop radius <- Optional - Radius Accounting
aaa accounting system start-stop radius <- Optional - Radius Accounting
aaa port-access mac-based 1-48 <- Enable MAC based RADIUS auth on ports 1-48
aaa port-access mac-based 1-48 auth-vid 1 <- Set untagged VLAN=1 if auth success, but no VLAN ID provided by RADIUS.
aaa port-access mac-based 1-48 unauth-vid 1
aaa port-access mac-based 1-48 logoff-period 9999999
aaa port-access mac-based 1-48 quiet-period 30
aaa port-access mac-based 1-48 addr-limit 32
aaa port-access mac-based 1-48 addr-moves
aaa port-access 1-48 controlled-direction in
spanning-tree 1-48 bpdu-protection <- Shut port if BPDU received
spanning-tree 1-48 bpdu-protection <- Shut port if BPDU received
spanning-tree 1-48 admin-edge-port <- Important to ensure port works properly, but enables immediate port forwarding (port-fast equivalent).
Config rules;
Ensure all VLANs set in LDAP are manually defined in switch running config, and north-bound trunk ports to spine/core allow tagged packets for all the VLANs.
- Ports are now assigned to Untagged VLAN IDs by RADIUS, or defaults to Untagged VLAN 1
Configure IPMI and iLO2 hosts;
Reset to defaults and ensure DHCP enabled.
Ensure IPMI failover mode is set to dedicated in the BIOS (do not use IPMI failover with Supermicro to share the port as does not fail-back).
VLAN tagging with BCM systems normally does not work. We solved this by running VLAN tags on all servers, and running IPMI untagged. This way when a race occurs, the port is simply setup for both tagged X (for Linux) and untagged Y (for the BMC) thus resolving the race.
Configure Linux hosts (Optional);
By default Linux sends only a single GARP on Ethernet carrier up (link up), and so ifplugd is sometimes needed to send enough frames to ensure the switch port is fully configured by 802.1X (For example, if the host sends no frames, the host will be unreachable by other hosts until this host sends at least one frame). DHCP client would achieve the same effect.
install ifplugd
edit /etc/default/ifplugd;
INTERFACES="eth0 eth1"
ARGS="-q -f -u0 -d0 -w -I"
edit /etc/ifplugd/ifplugd.action
Change up and down actions to be simply ping <ip-of-gateway> -c 6
/etc/init.d/ifplugd start
Alternatively see my other post regarding configuring robust Debian networking.
Useful show / debug commands;
Procurve Commands;
show port-access mac-based <- MACAUTHED ports
show port-access mac-based clients
show port-access mac-based clients 1-48 detailed
show port-access config
show port-access mac-based 1 config
show vlans ports 1-48
show qos port-priority
show authentication
show port-access authenticator <- 802.11X Authed ports
show port-access authenticator clients <- 802.11X Authed ports
radiusx -D
radtest 0cc47a16da00 0cc47a16da00 0 testing123
Log into manager@coreswitch{0/1} to find access switch connected to MAC;
show mac-address [MAC]
show arp
Enable debug
debug destination session
debug event
debug security
debug security port-access mac-based include port 1
debug security
debug security port-access mac-based include port all
Release port to stimulate new auth
aaa port-access mac-based 1 reauthenticate
no debug all
service freeradius stop
freeradius -X
(Remember to stop freeRADIUS on other server) Extras
LDAP based users logging into the switches can also be authenticated! However due to the LDAP search filter defined above, the "User-Name" RADIUS attribute is being mapped to "radiusMacAddress" and NOT "uid", therefore authenticating users via RADIUS/LDAP is mutulally exclusive to MAC based authenticatiuon.
Solved this previously by running multiple instances of freeRADIUS on different listening ports (each with appropraite LDAP mappings) all using the same LDAP back end. This allows Web based 802.1X, MAC based 802.1X and Also provides the framework for two factor authentication.
aaa authentication console login radius local <- Enable RADIUS for console login
aaa authentication console enable radius local <- Enable RADIUS for console enable
aaa authentication ssh login radius local <- Enable RADIUS for ssh login
aaa authentication ssh enable radius local <- Enable RADIUS for ssh enable
aaa authentication login privilege-mode <- Force require radiusServiceType attribute for user privileges
User LDAP object;
objectClass: radiusprofile
radiusServiceType: Administrative-User <- Give user enable privileges
radiusServiceType: NAS-Prompt-User <- Give user login only privileges
WARNING; If switch config does not include ‘aaa authentication login privilege-mode’ ALL LDAP users have full enable privileges!
Alternative Solution
Assign the VLANs for each access-port dynamically.
Option 1 - Dynamic GVRP VLAN assignment (not recommended)
Whilst this is initially a very simple setup whereby Linux is responsible for negotiating required VLANs with the switch using GVRP, so the switch can assign the connected port to said VLAN, there are some caveats;
- GVRP support is NOT widely deployed - severity = Minor
- GVRP support has only just come into kernel 3.2 - severity = Minor
- Enabling GVRP VLANs requires significant research and testing as GVRP has been warned against by HP when using advanced functions like active-active distributed trunks, VRRP, MSTP (all of which we use) - severity = Major
- Due to the challenges with enabling GVRP it is not advisable to implement short term if a move to static VLANs is desired - severity = Critical
- Can only implement using the ‘ip link’ command, not /etc/network/interfaces - severity = Major
- GVRP is not widely used as it allows end-nodes to have control over the network configuration.
- Buy its very nature of being dynamic, GVRP (1999) has various limitations and issues with scale and was superseded by MVRP (2011) to address these limitations - severity = Major
- If there are problems, downtime will be experienced whilst GVRP re-converges - severity = Major
- Will only work on Linux ports, so will not work for IPMI interfaces - severity = Blocker
on switch;
on Linux;
ip link add link eth1 name vlan6 type vlan id 6 gvrp on loose_binding on
ip link set vlan6 up
ip link set vlan6 up
NB; no /etc/network/interfaces support
No comments:
Post a Comment