13-48
Configuring Port-Based and User-Based Access Control (802.1X)
802.1X Open VLAN Mode
Inspecting 802.1X Open VLAN Mode Operation.
For information and
an example on viewing current Open VLAN mode operation, refer to “Viewing
802.1X Open VLAN Mode Status” on page 13-64.
802.1X Open VLAN Operating Notes
■
Although you can configure Open VLAN mode to use the same VLAN for
both the Unauthorized-Client VLAN and the Authorized-Client VLAN, this
is
not
recommended. Using the same VLAN for both purposes allows
unauthenticated clients access to a VLAN intended only for authenticated
clients, which poses a security breach.
■
While an Unauthorized-Client VLAN is in use on a port, the switch tempo-
rarily removes the port from any other statically configured VLAN for
which that port is configured as a member. Note that the Menu interface
will still display the port’s statically configured VLAN(s).
■
A VLAN used as the Unauthorized-Client VLAN should not allow access
to resources that must be protected from unauthenticated clients.
■
If a port is configured as a tagged member of VLAN “X”, then the port
returns to tagged membership in VLAN “X” upon successful client authen-
tication. This happens even if the RADIUS server assigns the port to
another, authorized VLAN “Y”. Note that if RADIUS assigns VLAN “X” as
an authorized VLAN, then the port becomes an
untagged
member of VLAN
“X” for the duration of the client connection. (If there is no Authorized-
Client or RADIUS-assigned VLAN, then an authenticated client without
tagged VLAN capability can access only a statically configured, untagged
VLAN on that port.)
■
When a client’s authentication attempt on an Unauthorized-Client VLAN
fails, the port remains a member of the Unauthorized-Client VLAN until
the client disconnects from the port.
■
During an authentication session on a port in 802.1X Open VLAN mode,
if RADIUS specifies membership in an untagged VLAN, this assignment
overrides port membership in the Authorized-Client VLAN. If there is no
Authorized-Client VLAN configured, then the RADIUS assignment over-
rides any untagged VLAN for which the port is statically configured.
■
If the only authenticated client on a port loses authentication during a
session in 802.1X Open VLAN mode, the port VLAN membership reverts
back to the Unauthorized-Client VLAN. If there is no Unauthorized-Client
VLAN configured, then the client loses access to the port until it can
Summary of Contents for E3800 Series
Page 2: ......
Page 3: ...HP Networking E3800 Switches Access Security Guide September 2011 KA 15 03 ...
Page 30: ...xxviii ...
Page 86: ...2 36 Configuring Username and Password Security Password Recovery ...
Page 186: ...4 72 Web and MAC Authentication Client Status ...
Page 364: ...8 32 Configuring Secure Shell SSH Messages Related to SSH Operation ...
Page 510: ...10 130 IPv4 Access Control Lists ACLs General ACL Operating Notes ...
Page 548: ...11 38 Configuring Advanced Threat Protection Using the Instrumentation Monitor ...
Page 572: ...12 24 Traffic Security Filters and Monitors Configuring Traffic Security Filters ...
Page 730: ...20 Index ...
Page 731: ......