71
Configuring 802.1X
This chapter describes how to configure 802.1X on an HP device. You can also configure the port
security feature to perform 802.1X. Port security combines and extends 802.1X and MAC
authentication. It applies to a network (a WLAN, for example) that requires different authentication
methods for different users on a port. Port security is beyond the scope of this chapter. It is described in
HP implementation of 802.1X
Access control methods
HP implements port-based access control as defined in the 802.1X protocol and extends the protocol to
support MAC-based access control.
•
With port-based access control, after an 802.1X user passes authentication on a port, any
subsequent user can access the network through the port without authentication. When the
authenticated user logs off, all other users are logged off.
•
With MAC-based access control, each user is separately authenticated on a port. When a user
logs off, no other online users are affected.
Using 802.1X authentication with other features
VLAN assignment
You can configure the authentication server to assign a VLAN for an 802.1X user who has passed
authentication. The way that the network access device handles VLANs on an 802.1X-enabled port
differs by 802.1X access control mode.
Access control
VLAN manipulation
Port-based
Assigns the VLAN to the port as the default VLAN. All subsequent 802.1X users can
access the default VLAN without authentication.
When the user logs off, the previous default VLAN is restored, and all other online
users are logged off.
MAC-based
•
If the port is a hybrid port with MAC-based VLAN enabled, maps the MAC
address of each user to the VLAN assigned by the authentication server. The
default VLAN of the port does not change. When a user logs off, the MAC-to-
VLAN mapping for the user is removed.
•
If the port is an access, trunk, or MAC-based VLAN disabled hybrid port, assigns
the first authenticated user's VLAN to the port as the default VLAN. If a different
VLAN is assigned for a subsequent user, the user cannot pass the authentication.
With 802.1X authentication, a hybrid port is always assigned to a VLAN as an untagged member. After
the assignment, do not re-configure the port as a tagged member in the VLAN.
On a periodic online user re-authentication enabled port, if a user has been online before you enable
the MAC-based VLAN function, the access device does not create a MAC-to-VLAN mapping for the user
unless the user passes re-authentication and the VLAN for the user has changed.