Configuring Port-Based and User-Based Access Control (802.1X)
Overview
credentials. This operation improves security by opening a given port only to
individually authenticated clients, while simultaneously blocking access to
the same port for clients that cannot be authenticated. All sessions must use
the same untagged VLAN. Also, an authenticated client can use any tagged
VLAN memberships statically configured on the port, provided the client is
configured to use the tagged VLAN memberships available on the port. (Note
that the session total includes any sessions begun by the Web Authentication
or MAC Authentication features covered in chapter 3.) For more information,
refer to “Option For Authenticator Ports: Configure Port-Security To Allow
Only 802.1X-Authenticated Devices” on page 12-47.
802.1X Port-Based Access Control
802.1X port-based access control provides port-level security that allows LAN
access only on ports where a single 802.1X-capable client (supplicant) has
entered authorized RADIUS user credentials. For reasons outlined below, this
option is recommended for applications where only one client at a time can
connect to the port. Using this option, the port processes all traffic as if it
comes from the same client. Thus, in a topology where multiple clients can
connect to the same port at the same time:
■
If the first client authenticates and opens the port, and then another client
authenticates, the port responds as if the original client has initiated a
reauthentication. With multiple clients authenticating on the port, the
RADIUS configuration response to the latest client authentication
replaces any other configuration from an earlier client authentication. If
all clients use the same configuration this should not be a problem. But if
the RADIUS server responds with different configurations for different
clients, then the last client authenticated will effectively lock out any
previously authenticated client. When
any
client to authenticate closes
its session, the port will also close and remain so until another client
successfully authenticates.
■
The most recent client authentication determines the untagged VLAN
membership for the port. Also, any client able to use the port can access
any tagged VLAN memberships statically configured on the port, provided
the client is configured to use the available, tagged VLAN memberships.
■
If the first client authenticates and opens the port, and then one or more
other clients connect without trying to authenticate, then the port config
uration as determined by the original RADIUS response remains
unchanged and all such clients will have the same access as the authenti
cated client. When the authenticated client closes the session, the port
will also be closed to any other, unauthenticated clients that may have
also been using the port.
12-5
Summary of Contents for PROCURVE 2910AL
Page 1: ...Access Security Guide ProCurve Switches W 14 03 2910al www procurve com ...
Page 2: ......
Page 3: ...HP ProCurve 2910al Switch February 2009 W 14 03 Access Security Guide ...
Page 84: ...Configuring Username and Password Security Front Panel Security 2 36 ...
Page 156: ...TACACS Authentication Operating Notes 4 30 ...
Page 288: ...Configuring Secure Socket Layer SSL Common Errors in SSL setup 8 22 ...
Page 416: ...Configuring Advanced Threat Protection Using the Instrumentation Monitor 10 28 ...
Page 572: ...Using Authorized IP Managers Operating Notes 14 14 ...
Page 592: ...12 Index ...
Page 593: ......