13-43
Configuring Port-Based and User-Based Access Control (802.1X)
802.1X Open VLAN Mode
Setting Up and Configuring 802.1X Open VLAN Mode
Preparation.
This section assumes use of both the Unauthorized-Client and
Authorized-Client VLANs. Refer to Table 13-1 on page 13-35 for other options.
Before you configure the 802.1X Open VLAN mode on a port:
■
Statically configure an “Unauthorized-Client VLAN” in the switch. The
only ports that should belong to this VLAN are ports offering services and
access you want available to unauthenticated clients. (802.1X authentica-
tor ports do not have to be members of this VLAN.)
C a u t i o n
Do not allow any port memberships or network services on this VLAN that
would pose a security risk if exposed to an unauthorized client.
■
Statically configure an Authorized-Client VLAN in the switch. The only
ports that should belong to this VLAN are ports offering services and
access you want available to authenticated clients. 802.1X authenticator
ports do not have to be members of this VLAN.
Note that if an 802.1X authenticator port is an untagged member of
another VLAN, the port’s access to that other VLAN will be temporarily
removed while an authenticated client is connected to the port. For
example, if:
i.
Port 5 is an untagged member of VLAN 1 (the default VLAN).
ii.
You configure port 5 as an 802.1X authenticator port.
iii. You configure port 5 to use an Authorized-Client VLAN.
Then, if a client connects to port 5 and is authenticated, port 5 becomes
an untagged member of the Authorized-Client VLAN and is temporarily
suspended from membership in the default VLAN.
■
If you expect friendly clients to connect without having 802.1X supplicant
software running, provide a server on the Unauthorized-Client VLAN for
downloading 802.1X supplicant software to the client, and a procedure by
which the client initiates the download.
■
A client must either have a valid IP address configured before connecting
to the switch, or download one through the Unauthorized-Client VLAN
from a DHCP server. In the latter case, you will need to provide DHCP
services on the Unauthorized-Client VLAN.
■
Ensure that the switch is connected to a RADIUS server configured to
support authentication requests from clients using ports configured as
802.1X authenticators. (The RADIUS server should not be on the Unau-
thorized-Client VLAN.)
Summary of Contents for E3800 Series
Page 2: ......
Page 3: ...HP Networking E3800 Switches Access Security Guide September 2011 KA 15 03 ...
Page 30: ...xxviii ...
Page 86: ...2 36 Configuring Username and Password Security Password Recovery ...
Page 186: ...4 72 Web and MAC Authentication Client Status ...
Page 364: ...8 32 Configuring Secure Shell SSH Messages Related to SSH Operation ...
Page 510: ...10 130 IPv4 Access Control Lists ACLs General ACL Operating Notes ...
Page 548: ...11 38 Configuring Advanced Threat Protection Using the Instrumentation Monitor ...
Page 572: ...12 24 Traffic Security Filters and Monitors Configuring Traffic Security Filters ...
Page 730: ...20 Index ...
Page 731: ......