13-72
Configuring Port-Based and User-Based Access Control (802.1X)
How RADIUS/802.1X Authentication Affects VLAN Operation
If this temporary VLAN assignment causes the switch to disable a different
untagged static or dynamic VLAN configured on the port (as described in
the preceding bullet and in “Example of Untagged VLAN Assignment in a
RADIUS-Based Authentication Session” on page 13-72), the disabled
VLAN assignment is not advertised. When the authentication session
ends, the switch:
•
Removes the temporary untagged VLAN assignment and stops adver-
tising it.
•
Re-activates and resumes advertising the temporarily disabled,
untagged VLAN assignment.
■
If you modify a VLAN ID configuration on a port during an 802.1X, MAC,
or Web authentication session, the changes do not take effect until the
session ends.
■
When a switch port is configured with RADIUS-based authentication to
accept multiple 802.1X and/or MAC or Web authentication client sessions,
all authenticated clients must use the same port-based, untagged VLAN
membership assigned for the earliest, currently active client session.
Therefore, on a port where one or more authenticated client sessions are
already running, all such clients are on the same untagged VLAN. If a
RADIUS server subsequently authenticates a new client, but attempts to
re-assign the port to a different, untagged VLAN than the one already in
use for the previously existing, authenticated client sessions, the connec-
tion for the new client will fail.
Example of Untagged VLAN Assignment in a RADIUS-
Based Authentication Session
The following example shows how an untagged static VLAN is temporarily
assigned to a port for use during an 802.1X authentication session. In the
example, an 802.1X-aware client on port 2 has been authenticated by a
RADIUS server for access to VLAN 22. However, port 2 is not configured as a
member of VLAN 22 but as a member of untagged VLAN 33 as shown in Figure
13-20.
For example, suppose that a RADIUS-authenticated, 802.1X-aware client on
port 2 requires access to VLAN 22, but VLAN 22 is configured for no access
on port 2, and VLAN 33 is configured as untagged on port 2.
If RADIUS authorizes an 802.1X client on port 2 with the requirement that the
client use VLAN 22, then:
■
VLAN 22 becomes available as Untagged on port 2 for the duration of the
session.
Summary of Contents for E3800 Series
Page 2: ......
Page 3: ...HP Networking E3800 Switches Access Security Guide September 2011 KA 15 03 ...
Page 30: ...xxviii ...
Page 86: ...2 36 Configuring Username and Password Security Password Recovery ...
Page 186: ...4 72 Web and MAC Authentication Client Status ...
Page 364: ...8 32 Configuring Secure Shell SSH Messages Related to SSH Operation ...
Page 510: ...10 130 IPv4 Access Control Lists ACLs General ACL Operating Notes ...
Page 548: ...11 38 Configuring Advanced Threat Protection Using the Instrumentation Monitor ...
Page 572: ...12 24 Traffic Security Filters and Monitors Configuring Traffic Security Filters ...
Page 730: ...20 Index ...
Page 731: ......