72
Configuring 802.1X
This chapter describes how to configure 802.1X on an HP device.
You can also configure the port security feature to perform 802.1X. Port security combines and extends
802.1X and MAC authentication. It applies to a network that requires different authentication methods
for different users on a port. Port security is beyond the scope of this chapter. It is described in "Port
security configuration
.
"
HP implementation of 802.1X
Access control methods
HP implements port-based access control as defined in the 802.1X protocol, and extends the protocol to
support MAC-based access control.
•
Port-based access control
—Once an 802.1X user passes authentication on a port, any subsequent
user can access the network through the port without authentication. When the authenticated user
logs off, all other users are logged off.
•
MAC-based access control
—Each user is separately authenticated on a port. When a user logs off,
no other online users are affected.
Using 802.1X authentication with other features
VLAN assignment
The device can work with a RADIUS server to assign VLANs to 802.1X users. The device accepts
untagged VLANs that are assigned through the RFC 3580-compliant Tunnel attributes and tagged
VLANs that are assigned through the RFC 4675-compliant Egress-VLANID or Egress-VLAN-Name
attribute.
NOTE:
•
Access ports do not support RFC 4675-compliant assignment of VLANs.
•
Trunk and hybrid ports support RFC 4675-compliant assignment of only tagged VLANs.
and
describes how the device handles VLANs assigned through a RADIUS server
Table 6
VLAN assignment in port-based access control mode
Link type
VLAN assignment
Access port
Sets the VLAN ID assigned through the Tunnel attributes as the PVID on the port.
All subsequent users can access the network, regardless of their VLANs.
When the authenticated user logs off, the previous PVID restores, and all users
attached to the port cannot access the network.
Trunk/hybrid port
•
Sets the VLAN ID assigned through the Tunnel attributes as the PVID on the port.
•
Assigns the port to the VLANs assigned through the Egress-VLANID or
Egress-VLAN-Name attribute, and sets the VLANs as tagged VLANs.