8-8
Configuring Port-Based Access Control (802.1X)
Terminology
• A “failure” response continues the block on port B5 and causes port
A1 to wait for the “held-time” period before trying again to achieve
authentication through port B5.
Note You can configure a switch port to operate as both a supplicant and an
authenticator at the same time.
Terminology
802.1X-Aware: Refers to a device that is running either 802.1X authenticator
software or 802.1X client software and is capable of interacting with other
devices on the basis of the IEEE 802.1X standard.
Authorized-Client VLAN: Like the Unauthorized-Client VLAN, this is a
conventional, static VLAN previously configured on the switch by the
System Administrator. The intent in using this VLAN is to provide authen-
ticated clients with network services that are not available on either the
port’s statically configured VLAN memberships or any VLAN member-
ships that may be assigned during the RADIUS authentication process.
While an 802.1X port is a member of this VLAN, the port is untagged. When
the client connection terminates, the port drops its membership in this
VLAN.
Authentication Server: The entity providing an authentication service to
the switch when the switch is configured to operate as an authenticator.
In the case of an ProCurve switch running 802.1X, this is a RADIUS server
(unless local authentication is used, in which case the switch performs
this function using its own username and password for authenticating a
supplicant).
Authenticator: In ProCurve switch applications, a device such as a switch
that requires a supplicant to provide the proper credentials (username
and password) before being allowed access to the network.
CHAP (MD5): Challenge Handshake Authentication Protocol.
Client: In this application, an end-node device such as a management station,
workstation, or mobile PC linked to the switch through a point-to-point
LAN link.