HP (Hewlett-Packard) 2650 (J4899A/B) Switch User Manual


 
8-4
Configuring Port-Based Access Control (802.1X)
Overview
Local authentication of 802.1X clients using the switch’s local user-
name and password (as an alternative to RADIUS authentication).
Temporary on-demand change of a port’s VLAN membership status
to support a current client’s session. (This does not include ports that
are members of a trunk.)
Session accounting with a RADIUS server, including the accounting
update interval.
Use of Show commands to display session counters.
With port-security enabled for port-access control, limit a port to one
802.1X client session at a given time.
Authenticating Users. Port-Based Access Control (802.1X) provides
switch-level security that allows LAN access only to users who enter the
authorized RADIUS username and password on 802.1X-capable clients (sup-
plicants). This simplifies security management by allowing you to control
access from a master database in a single server (although you can use up to
three RADIUS servers to provide backups in case access to the primary server
fails). It also means a user can enter the same username and password pair
for authentication, regardless of which switch is the access point into the LAN.
Note that you can also configure 802.1X for authentication through the
switch’s local username and password instead of a RADIUS server, but doing
so increases the administrative burden, decentralizes username/password
administration, and reduces security by limiting authentication to one Oper-
ator/Manager password set for all users.
Providing a Path for Downloading 802.1X Supplicant Software. For
clients that do not have the necessary 802.1X supplicant software, there is also
the option to configure the 802.1X Open VLAN mode. This mode allows you
to assign such clients to an isolated VLAN through which you can provide the
necessary supplicant software these clients need to begin the authentication
process. (Refer to “802.1X Open VLAN Mode” on page 8-21.)
Authenticating One Switch to Another. 802.1X authentication also
enables the switch to operate as a supplicant when connected to a port on
another switch running 802.1X authentication.