HP (Hewlett-Packard) 2300 Switch User Manual


 
49
Enhancements in Release F.05.05 through F.05.70
Enhancements in Release F.05.05 through F.05.60
Note:
If you use the same VLAN as the Unauthorized-Client VLAN for all authenticator ports, unauthenti-
cated clients on different ports can communicate with each other. However, in this case, you can
improve security between authenticator ports by using the switch’s Source-Port filter feature. For
example, if you are using ports 1 and 2 as authenticator ports on the same Unauthorized-Client VLAN,
you can configure a Source-Port filter on 1 to drop all packets from 2 and the reverse.
Multiple Authenticator Ports Using
the Same Unauthorized-Client and
Authorized-Client VLANs
You can use the same static VLAN as the Unauthorized-Client VLAN
for all 802.1X authenticator ports configured on the switch. Similarly,
you can use the same static VLAN as the Authorized-Client VLAN for
all 802.1X authenticator ports configured on the switch.
Caution: Do not use the same static VLAN for both the unauthorized
and the Authorized-Client VLAN. Using one VLAN for both creates a
security risk by defeating the isolation of unauthenticated clients.
Effect of Failed Client Authentication
Attempt
When there is an Unauthorized-Client VLAN configured on an 802.1X
authenticator port, an unauthorized client connected to the port has
access only to the network resources belonging to the Unauthorized-
Client VLAN. (There can be an exception to this rule if the port is also
a tagged member of a statically configured VLAN. Refer to the Caution
on page 45.) This access continues until the client disconnects from
the port. (If there is no Unauthorized-Client VLAN configured on the
authenticator port, the port simply blocks access for any unauthorized
client that cannot be authenticated.)
Sources for an IP Address Configura-
tion for a Client Connected to a Port
Configured for 802.x Open VLAN
Mode
A client can either acquire an IP address from a DHCP server or have
a preconfigured, manual IP address before connecting to the switch.
802.1X Supplicant Software for a
Client Connected to aPort Configured
for 802.1X Open VLAN Mode
A friendly client, without 802.1X supplicant software, connecting to an
authenticator port must be able to download this software from the
Unauthorized-Client VLAN before authentication can begin.
Condition Rule