13-40
Configuring Port-Based and User-Based Access Control (802.1X)
802.1X Open VLAN Mode
Effect of Unauthorized-Client VLAN
session on untagged port VLAN
membership
• When an unauthenticated client connects to a port that is already
configured with a static, untagged VLAN, the switch temporarily
moves the port to the Unauthorized-Client VLAN (also untagged).
(While the Unauthorized-Client VLAN is in use, the port does not
access any other VLANs.)
• If the client disconnects, the port leaves the Unauthorized-Client
VLAN and re-acquires membership in all the statically configured
VLANs to which it belongs.
• If the client becomes authenticated, the port leaves the
Unauthenticated-Client VLAN and joins the appropriate VLAN.
(Refer to “VLAN Membership Priorities” on page 13-33.
• In the case of the multiple clients allowed on switches, if an
authenticated client is already using the port for a different VLAN,
then any other unauthenticated clients needing to use the
Unauthorized-Client VLAN are blocked.
Effect of Authorized-Client VLAN
session on untagged port VLAN
membership.
• When a client becomes authenticated on a port that is already
configured with a static, untagged VLAN, the switch temporarily
moves the port to the Authorized-Client VLAN (also untagged).
While the Authorized-Client VLAN is in use, the port does not have
access to the statically configured, untagged VLAN.
• When the authenticated client disconnects, the switch removes the
port from the Authorized-Client VLAN and moves it back to the
untagged membership in the statically configured VLAN. (After
client authentication, the port resumes any tagged VLAN
memberships for which it is already configured. For details, refer to
the Note on page 13-33.)
Note:
This rule assumes:
• No alternate VLAN has been assigned by a RADIUS server.
• No other authenticated clients are already using the port.
Multiple Authenticator Ports Using
the Same Unauthorized-Client and
Authorized-Client VLANs
You can use the same static VLAN as the Unauthorized-Client VLAN
for all 802.1X authenticator ports configured on the switch. Similarly,
you can use the same static VLAN as the Authorized-Client VLAN for
all 802.1X authenticator ports configured on the switch.
Caution:
Do not use the same static VLAN for both the unauthorized-
client VLAN and the authorized-client VLAN. Using one VLAN for both
creates a security risk by defeating the isolation of unauthenticated
clients.
Effect of Failed Client Authentication
Attempt
This rule assumes no other authenticated
clients are already using the port on a
different VLAN.
When there is an Unauthorized-Client VLAN configured on an 802.1X
authenticator port, an unauthorized client connected to the port has
access only to the network resources belonging to the Unauthorized-
Client VLAN. This access continues until the client disconnects from
the port. (If there is no Unauthorized-Client VLAN configured on the
authenticator port, the port simply blocks access for any unauthorized
client.)
Condition
Rule
Summary of Contents for E3800 Series
Page 2: ......
Page 3: ...HP Networking E3800 Switches Access Security Guide September 2011 KA 15 03 ...
Page 30: ...xxviii ...
Page 86: ...2 36 Configuring Username and Password Security Password Recovery ...
Page 186: ...4 72 Web and MAC Authentication Client Status ...
Page 364: ...8 32 Configuring Secure Shell SSH Messages Related to SSH Operation ...
Page 510: ...10 130 IPv4 Access Control Lists ACLs General ACL Operating Notes ...
Page 548: ...11 38 Configuring Advanced Threat Protection Using the Instrumentation Monitor ...
Page 572: ...12 24 Traffic Security Filters and Monitors Configuring Traffic Security Filters ...
Page 730: ...20 Index ...
Page 731: ......