Web and MAC Authentication
Overview
■
Each new Web/MAC Auth client always initiates a MAC authentication
attempt. This same client can also initiate Web authentication at any time
before the MAC authentication succeeds. If either authentication suc
ceeds then the other authentication (if in progress) is ended. No further
Web/MAC authentication attempts are allowed until the client is deau
thenticated.
■
Web and MAC authentications are not allowed on the same port if unau
thenticated VLAN (that is, a guest VLAN) is enabled for MAC authentica
tion. An unauthenticated VLAN can’t be enabled for MAC authentication
if Web and MAC authentication are both enabled on the port.
■
Hitless reauthentication must be of the same type (MAC) that was used
for the initial authentication. Non-hitless reauthentication can be of any
type.
The remaining Web/MAC functionality, including interactions with 802.1X,
remains the same. Web and MAC authentication can be used for different
clients on the same port.
Normally, MAC authentication finishes much sooner than Web authentication.
However, if Web authentication should complete first, MAC authentication
will cease even though it is possible that MAC authentication could succeed.
There is no guarantee that MAC authentication ends before Web authentica
tion begins for the client.
Concurrent Web and MAC authentication is backward compatible with all
existing user configurations.
Authorized and Unauthorized Client VLANs
Web-Auth and MAC-Auth provide a port-based solution in which a port
belongs to one, untagged VLAN at a time. The switch supports up to eight
simultaneous client sessions per port. All authenticated client sessions
operate in the same untagged VLAN. (If you want the switch to simultaneously
support multiple client sessions in different VLANs for a network application,
design your system so that clients request network access on different switch
ports.)
In the default configuration, the switch blocks access to all clients that the
RADIUS server does not authenticate. However, you can configure an
individual port to provide limited network services and access to unauthorized
clients by using an “unauthorized” VLAN for each session. The unauthorized
VLAN ID assignment can be the same for all ports, or different, depending on
the services and access you plan to allow for unauthenticated clients.
3-4
Summary of Contents for PROCURVE 2910AL
Page 1: ...Access Security Guide ProCurve Switches W 14 03 2910al www procurve com ...
Page 2: ......
Page 3: ...HP ProCurve 2910al Switch February 2009 W 14 03 Access Security Guide ...
Page 84: ...Configuring Username and Password Security Front Panel Security 2 36 ...
Page 156: ...TACACS Authentication Operating Notes 4 30 ...
Page 288: ...Configuring Secure Socket Layer SSL Common Errors in SSL setup 8 22 ...
Page 416: ...Configuring Advanced Threat Protection Using the Instrumentation Monitor 10 28 ...
Page 572: ...Using Authorized IP Managers Operating Notes 14 14 ...
Page 592: ...12 Index ...
Page 593: ......