Support User Manuals

HP (Hewlett-Packard) 2300 Switch User Manual

Open as PDF

of 270

50

Enhancements in Release F.05.05 through F.05.70

Enhancements in Release F.05.05 through F.05.60

Setting Up and Configuring 802.1X Open VLAN Mode

Preparation. This section assumes use of both the Unauthorized-Client and Authorized-Client

VLANs. Refer to Table 4 on page 46 for other options.

Before you configure the 802.1X Open VLAN mode on a port:

■ Statically configure an “Unauthorized-Client VLAN” in the switch. The only ports that should

belong to this VLAN are ports offering services and access you want available to unauthen-

ticated clients. (802.1X authenticator ports do not have to be members of this VLAN.)

Caution

Do not allow any port memberships or network services on this VLAN that would pose a security

risk if exposed to an unauthorized client.

■ Statically configure an Authorized-Client VLAN in the switch. The only ports that should

belong to this VLAN are ports offering services and access you want available to authenti-

cated clients. 802.1X authenticator ports do not have to be members of this VLAN.

Note that if an 802.1X authenticator port is an untagged member of another VLAN, the port’s

access to that other VLAN will be temporarily removed while an authenticated client is connected

to the port. For example, if:

i. Port 5 is an untagged member of VLAN 1 (the default VLAN).

ii. You configure port 5 as an 802.1X authenticator port.

iii. You configure port 5 to use an Authorized-Client VLAN.

Then, if a client connects to port 5 and is authenticated, port 5 becomes an untagged member of

the Authorized-Client VLAN and is temporarily suspended from membership in the default VLAN.

■ If you expect friendly clients to connect without having 802.1X supplicant software running,

provide a server on the Unauthorized-Client VLAN for downloading 802.1X supplicant

software to the client, and a procedure by which the client initiates the download.

■ A client must either have a valid IP address configured before connecting to the switch, or

download one through the Unauthorized-Client VLAN from a DHCP server. In the latter case,

you will need to provide DHCP services on the Unauthorized-Client VLAN.

■ Ensure that the switch is connected to a RADIUS server configured to support authentication

requests from clients using ports configured as 802.1X authenticators. (The RADIUS server

should not be on the Unauthorized-Client VLAN.)

previous next