Web and MAC Authentication
Operating Rules and Notes
■
■
■
■
1. If there is a RADIUS-assigned VLAN, then, for the duration of the
client session, the port belongs to this VLAN and temporarily
drops all other VLAN memberships.
2. If there is no RADIUS-assigned VLAN, then, for the duration of
the client session, the port belongs to the Authorized VLAN (if
configured) and temporarily drops all other VLAN memberships.
3. If neither 1 or 2, above, apply, but the port is an untagged member
of a statically configured, port-based VLAN, then the port remains
in this VLAN.
4. If neither 1, 2, or 3, above, apply, then the client session does not
have access to any statically configured, untagged VLANs and
client access is blocked.
•
After an authorized client session begins on a given port, the port’s
VLAN membership does not change. If other clients on the same port
become authenticated with a different VLAN assignment than the first
client, the port blocks access to these other clients until the first client
session ends.
•
The optional “authorized” VLAN (
auth-vid
) and “unauthorized” VLAN
(
unauth-vid
) you can configure for Web- or MAC-based authentication
must be statically configured VLANs on the switch. Also, if you
configure one or both of these options, any services you want clients
in either category to access must be available on those VLANs.
Where a given port’s configuration includes an unauthorized client VLAN
assignment, the port will allow an unauthenticated client session only
while there are no requests for an authenticated client session on that
port. In this case, if there is a successful request for authentication from
an authorized client, the switch terminates the unauthorized-client ses
sion and begins the authorized-client session.
When a port on the switch is configured for Web or MAC Authentication
and is supporting a current session with another device, rebooting the
switch invokes a re-authentication of the connection.
When a port on the switch is configured as a Web- or MAC-based authen
ticator, it blocks access to a client that does not provide the proper
authentication credentials. If the port configuration includes an optional,
unauthorized VLAN (
unauth-vid
), the port is temporarily placed in the
unauthorized VLAN if there are no other authorized clients currently using
the port with a different VLAN assignment. If an authorized client is using
the port with a different VLAN or if there is no unauthorized VLAN
configured, the unauthorized client does not receive access to the net
work.
Web- or MAC-based authentication and LACP cannot both be enabled on
the same port.
3-12
Summary of Contents for PROCURVE 2910AL
Page 1: ...Access Security Guide ProCurve Switches W 14 03 2910al www procurve com ...
Page 2: ......
Page 3: ...HP ProCurve 2910al Switch February 2009 W 14 03 Access Security Guide ...
Page 84: ...Configuring Username and Password Security Front Panel Security 2 36 ...
Page 156: ...TACACS Authentication Operating Notes 4 30 ...
Page 288: ...Configuring Secure Socket Layer SSL Common Errors in SSL setup 8 22 ...
Page 416: ...Configuring Advanced Threat Protection Using the Instrumentation Monitor 10 28 ...
Page 572: ...Using Authorized IP Managers Operating Notes 14 14 ...
Page 592: ...12 Index ...
Page 593: ......