Configuring Port-Based and Client-Based Access Control (802.1X)
802.1X Open VLAN Mode
Condition Rule
Note for 5300xl Switches Running
Software Release E.09.xx or Greater:
Limitation on Using an Unauthorized-
Client VLAN on an 802.1X Port
Configured to Allow Multiple-Client
Access
Prior to software release E.09.xx, the 802.1X feature on ProCurve
Series 5300xl switches authenticated only one client per-port.
Beginning with release E.09.xx, you can optionally enable 5300xl
switches to allow up to 32 clients per-port. The Unauthorized-Client
VLAN feature can operate on an 802.1X-configured port regardless of
how many clients the port is configured to support. However, all
clients on the same port must operate through the same untagged
VLAN membership. This means that any client accessing a given port
must be able to authenticate and operate on the same VLAN as any
other previously authenticated clients that are currently using the
port. Thus, an Unauthorized-Client VLAN configured on a 5300xl port
that allows multiple 802.1X clients cannot be used if there is already
an authenticated client using the port on another VLAN. Also, a client
using the Unauthenticated-Client VLAN will be blocked when another
client becomes authenticated on the port. For this reason, the best
utilization of the Unauthorized-Client VLAN feature is in instances
where only one client is allowed per-port. Otherwise, unauthenticated
clients are subject to being blocked at any time by authenticated
clients using a different VLAN. (Using the same VLAN for
authenticated and unauthenticated clients can create a security risk
and is not recommended.)
Not e : If you use the same VLAN as the Unauthorized-Client VLAN for all authenti-
cator ports, unauthenticated clients on different ports can communicate with
each other. However, in this case, you can improve security between authen
-
ticator ports by using the switch’s Source-Port filter feature. For example, if
you are using ports B1 and B2 as authenticator ports on the same Unautho-
rized-Client VLAN, you can configure a Source-Port filter on B1 to drop all
packets from B2 and the reverse.
10-30
To Next Page
Loading...
Need help?
General