13-47
Configuring Port-Based and User-Based Access Control (802.1X)
802.1X Open VLAN Mode
Inspecting 802.1X Open VLAN Mode Operation. For information and
an example on viewing current Open VLAN mode operation, refer to “Viewing
802.1X Open VLAN Mode Status” on page 13-64.
802.1X Open VLAN Operating Notes
■ Although you can configure Open VLAN mode to use the same VLAN for
both the Unauthorized-Client VLAN and the Authorized-Client VLAN, this
is not recommended. Using the same VLAN for both purposes allows
unauthenticated clients access to a VLAN intended only for authenticated
clients, which poses a security breach.
■ While an Unauthorized-Client VLAN is in use on a port, the switch tempo-
rarily removes the port from any other statically configured VLAN for
which that port is configured as a member. Note that the Menu interface
will still display the port’s statically configured VLAN(s).
■ A VLAN used as the Unauthorized-Client VLAN should not allow access
to resources that must be protected from unauthenticated clients.
■ If a port is configured as a tagged member of VLAN “X”, then the port
returns to tagged membership in VLAN “X” upon successful client authen-
tication. This happens even if the RADIUS server assigns the port to
another, authorized VLAN “Y”. Note that if RADIUS assigns VLAN “X” as
an authorized VLAN, then the port becomes an untagged member of VLAN
“X” for the duration of the client connection. (If there is no Authorized-
Client or RADIUS-assigned VLAN, then an authenticated client without
tagged VLAN capability can access only a statically configured, untagged
VLAN on that port.)
■ When a client’s authentication attempt on an Unauthorized-Client VLAN
fails, the port remains a member of the Unauthorized-Client VLAN until
the client disconnects from the port.
HP Switch(config)# radius host 10.28.127.101 key rad4all
Configures the switch to look for a RADIUS server with an IP address of 10.28.127.101
and an encryption key of rad4all.
HP Switch(config)# aaa port-access authenticator e a10-a20 unauth-vid 80
Configures ports A10 - A20 to use VLAN 80 as the Unauthorized-Client VLAN.
HP Switch(config)# aaa port-access authenticator e a10-a20 auth-vid 81
Configures ports A10 - A20 to use VLAN 81 as the Authorized-Client VLAN.
HP Switch(config)# aaa port-access authenticator active
Activates 802.1X port-access on ports you have configured as authenticators.
To Next Page
Loading...
Need help?
General