6-70
RADIUS Authentication, Authorization, and Accounting
Dynamic Removal of Authentication Limits
Dynamic Removal of Authentication
Limits
Overview
In some situations, it is desirable to configure RADIUS attributes for down-
stream supplicant devices that allow dynamic removal of the 802.1X, MAC,
and Web authentication limits on the associated port of the authenticator
switch. This eliminates the need to manually reconfigure ports associated with
downstream 802.1X-capable devices, and MAC relay devices such as IP
phones, on the authenticator switches. When the RADIUS authentication ages
out, the authentication limits are dynamically restored. This enhancement
allows a common port policy to be configured on all access ports by creating
new RADIUS HP vendor-specific attributes (VSAs) that will dynamically
override the authentication limits. The changes are always applied to the port
on the authenticator switch associated with the supplicant being authenti-
cated.
N o t e
All the changes requested by the VSAs must be valid for the switch configura-
tion. For example, if either MAC-based or Web-based port access is configured
while 802.1X port access is in client mode, a RADIUS client with a VSA to
change the 802.1X port access to port-based mode is not allowed. 802.1X in
port-based mode is not allowed with MAC-based or web-based port access
types. However, if the authenticating client has VSAs to disable MAC-based
and Web-based authentication in conjunction with changing 802.1X to port-
based mode, then client authentication is allowed.
Configuring the RADIUS VSAs
Only RADIUS -authenticated port-access clients will be able to dynamically
change the port access settings using the new proprietary RADIUS VSAs. The
settings that can be overridden are:
•
Client limit (address limit with mac-based port access)
•
Disabling the port-access types
•
Setting the port mode in which 802.1X is operating
Содержание E3800 Series
Страница 1: ...HP Switch Software E3800 switches Software version KA 15 03 September 2011 Access Security Guide ...
Страница 2: ......
Страница 3: ...HP Networking E3800 Switches Access Security Guide September 2011 KA 15 03 ...
Страница 30: ...xxviii ...
Страница 86: ...2 36 Configuring Username and Password Security Password Recovery ...
Страница 186: ...4 72 Web and MAC Authentication Client Status ...
Страница 290: ...6 74 RADIUS Authentication Authorization and Accounting Dynamic Removal of Authentication Limits ...
Страница 364: ...8 32 Configuring Secure Shell SSH Messages Related to SSH Operation ...
Страница 510: ...10 130 IPv4 Access Control Lists ACLs General ACL Operating Notes ...
Страница 548: ...11 38 Configuring Advanced Threat Protection Using the Instrumentation Monitor ...
Страница 572: ...12 24 Traffic Security Filters and Monitors Configuring Traffic Security Filters ...
Страница 659: ...14 11 Configuring and Monitoring Port Security Port Security Figure 14 5 Examples of Show Mac Address Outputs ...
Страница 730: ...20 Index ...
Страница 731: ......