HP (Hewlett-Packard) 2500 Switch User Manual


 
35
Enhancements in Release F.05.05 through F.05.70
Enhancements in Release F.05.05 through F.05.60
General Operating Rules and Notes
When a port on the switch is configured as either an authenticator or supplicant and is
connected to another device, rebooting the switch causes a re-authentication of the link.
When a port on the switch is configured as an authenticator, it will block access to a client
that either does not provide the proper authentication credentials or is not 802.1X-aware.
(You can use the optional 802.1X Open VLAN mode to open a path for downloading 802.1X
supplicant software to a client, which enables the client to initiate the authentication
procedure. Refer to “802.1X Open VLAN Mode” on page -44.)
If a port on switch “A” is configured as an 802.1X supplicant and is connected to a port on
another switch, “B”, that is not 802.1X-aware, access to switch “B” will occur without 802.1X
security protection.
You can configure a port as both an 802.1X authenticator and an 802.1X supplicant.
If a port on switch “A” is configured as both an 802.1X authenticator and supplicant and is
connected to a port on another switch, “B”, that is not 802.1X-aware, access to switch “B”
will occur without 802.1X security protection, but switch “B” will not be allowed access to
switch “A”. This means that traffic on this link between the two switches will flow from “A”
to “B”, but not the reverse.
If a client already has access to a switch port when you configure the port for 802.1X
authenticator operation, the port will block the client from further network access until it
can be authenticated.
On a port configured for 802.1X with RADIUS authentication, if the RADIUS server specifies
a VLAN for the supplicant and the port is a trunk member, the port will be blocked. If the
port is later removed from the trunk, the port will try to authenticate the supplicant. If
authentication is successful, the port becomes unblocked. Similarly, if the supplicant is
authenticated and later the port becomes a trunk member, the port will be blocked. If the
port is then removed from the trunk, it tries to re-authenticate the supplicant. If successful,
the port becomes unblocked.
To help maintain security, 802.1X and LACP cannot both be enabled on the same port. If you
try to configure 802.1X on a port already configured for LACP (or the reverse) you will see
a message similar to the following:
Error configuring port X: LACP and 802.1X cannot be run together.
Note on 802.1X and LACP
To help maintain security, the switch does not allow 802.1X and LACP to both be enabled at the same
time on the same port. Refer to “802.1X Operating Messages” on page -70.