Web and MAC Authentication
Operating Rules and Notes
•
During an authenticated client session, the following hierarchy deter-
mines a port’s VLAN membership:
1. If there is a RADIUS-assigned VLAN, then, for the duration of the
client session, the port belongs to this VLAN and temporarily
drops all other VLAN memberships.
2. If there is no RADIUS-assigned VLAN, then, for the duration of
the client session, the port belongs to the Authorized VLAN (if
configured) and temporarily drops all other VLAN memberships.
3. If neither 1 or 2, above, apply, but the port is an untagged member
of a statically configured, port-based VLAN, then the port remains
in this VLAN.
4. If neither 1, 2, or 3, above, apply, then the client session does not
have access to any statically configured, untagged VLANs and
client access is blocked.
•
After an authorized client session begins on a given port, the port’s
VLAN membership does not change. If other clients on the same port
become authenticated with a different VLAN assignment than the first
client, the port blocks access to these other clients until the first client
session ends.
•
The optional “authorized” VLAN (
auth-vid
) and “unauthorized” VLAN
(
unauth-vid
) you can configure for Web- or MAC-based authentication
must be statically configured VLANs on the switch. Also, if you
configure one or both of these options, any services you want clients
in either category to access must be available on those VLANs.
■
Where a given port’s configuration includes an unauthorized client
VLAN assignment, the port will allow an unauthenticated client
session only while there are no requests for an authenticated client
session on that port. In this case, if there is a successful request for
authentication from an authorized client, the switch terminates the
unauthorized-client session and begins the authorized-client session.
■
When a port on the switch is configured for Web or MAC Authentica
tion and is supporting a current session with another device, reboo
ting the switch invokes a re-authentication of the connection.
■
When a port on the switch is configured as a Web- or MAC-based
authenticator, it blocks access to a client that does not provide the
proper authentication credentials. If the port configuration includes
an optional, unauthorized VLAN (
unauth-vid
), the port is temporarily
placed in the unauthorized VLAN if there are no other authorized
clients currently using the port with a different VLAN assignment. If
an authorized client is using the port with a different VLAN or if there
is no unauthorized VLAN configured, the unauthorized client does not
receive access to the network.
4-11
Summary of Contents for J8697A
Page 1: ...6200yl Access Security Guide 5400zl 3500yl ProCurve Switches K 11 XX www procurve com ...
Page 2: ......
Page 22: ...Product Documentation Feature Index xx ...
Page 55: ...Configuring Username and Password Security Front Panel Security 2 21 ...
Page 56: ...Configuring Username and Password Security Front Panel Security 2 22 ...
Page 58: ...Virus Throttling Contents Operating Notes 3 30 Connection Rate Log and Trap Messages 3 31 3 2 ...
Page 88: ...Virus Throttling Connection Rate Log and Trap Messages This page is intentionally unused 3 32 ...
Page 118: ...Web and MAC Authentication Client Status This page intentionally unused 4 30 ...
Page 356: ...Configuring and Monitoring Port Security Operating Notes for Port Security 11 44 ...
Page 370: ...Using Authorized IP Managers Operating Notes This page is intentionally unused 12 14 ...
Page 388: ...10 Index ...
Page 389: ......