13-39
Configuring Port-Based and User-Based Access Control (802.1X)
802.1X Open VLAN Mode
Operating Rules for Authorized-Client and
Unauthorized-Client VLANs
Condition
Rule
Static VLANs used as
Authorized-
Client
or
Unauthorized-Client
VLANs
These must be configured on the switch before you configure an
802.1X authenticator port to use them. (Use the
vlan <
vlan-id
>
command or the VLAN Menu screen in the Menu interface.)
VLAN Assignment Received from a
RADIUS Server
If the RADIUS server specifies a VLAN for an authenticated supplicant
connected to an 802.1X authenticator port, this VLAN assignment
overrides any Authorized-Client VLAN assignment configured on the
authenticator port. This is because membership in both VLANs is
untagged, and the switch allows only one untagged, port-based VLAN
membership per-port. For example, suppose you configured port A4
to place authenticated supplicants in VLAN 20. If a RADIUS server
authenticates supplicant “A” and assigns this supplicant to VLAN 50,
then the port can access VLAN 50 as an untagged member while the
client session is running. When the client disconnects from the port,
then the port drops these assignments and uses the untagged VLAN
memberships for which it is statically configured. (After client authen-
tication, the port resumes any tagged VLAN memberships for which it
is already configured. For details, refer to the Note on page 13-33.)
Temporary VLAN Membership During
a Client Session
• Port membership in a VLAN assigned to operate as the
Unauthorized-Client VLAN is temporary, and ends when the client
receives authentication or the client disconnects from the port,
whichever is first. In the case of the multiple clients allowed on
switches covered in this guide, the first client to authenticate
determines the untagged VLAN membership for the port until all
clients have disconnected. Any other clients that cannot operate
in that VLAN are blocked at that point.
• Port membership in a VLAN assigned to operate as the Authorized-
Client VLAN ends when the client disconnects from the port.If a
VLAN assignment from a RADIUS server is used instead, the same
rule applies. In the case of the multiple clients allowed on switches,
the port maintains the same VLAN as long as there is any
authenticated client using the VLAN. When the last client
disconnects, then the port reverts to only the VLAN(s) for which it
is statically configured as a member.
Содержание E3800 Series
Страница 1: ...HP Switch Software E3800 switches Software version KA 15 03 September 2011 Access Security Guide ...
Страница 2: ......
Страница 3: ...HP Networking E3800 Switches Access Security Guide September 2011 KA 15 03 ...
Страница 30: ...xxviii ...
Страница 86: ...2 36 Configuring Username and Password Security Password Recovery ...
Страница 186: ...4 72 Web and MAC Authentication Client Status ...
Страница 290: ...6 74 RADIUS Authentication Authorization and Accounting Dynamic Removal of Authentication Limits ...
Страница 364: ...8 32 Configuring Secure Shell SSH Messages Related to SSH Operation ...
Страница 510: ...10 130 IPv4 Access Control Lists ACLs General ACL Operating Notes ...
Страница 548: ...11 38 Configuring Advanced Threat Protection Using the Instrumentation Monitor ...
Страница 572: ...12 24 Traffic Security Filters and Monitors Configuring Traffic Security Filters ...
Страница 659: ...14 11 Configuring and Monitoring Port Security Port Security Figure 14 5 Examples of Show Mac Address Outputs ...
Страница 730: ...20 Index ...
Страница 731: ......