HP (Hewlett-Packard) 2650 (J4899A/B) Switch User Manual


 
8-10
Configuring Port-Based Access Control (802.1X)
General Operating Rules and Notes
member of that VLAN as long as at least one other port on the switch is
statically configured as a tagged or untagged member of the same Unau-
thorized-Client VLAN.
Untagged VLAN Membership: A port can be an untagged member of only
one VLAN. (In the factory-default configuration, all ports on the switch
are untagged members of the default VLAN.) An untagged VLAN member-
ship is required for a client that does not support 802.1q VLAN tagging. A
port can simultaneously have one untagged VLAN membership and
multiple tagged VLAN memberships. Depending on how you configure
802.1X Open VLAN mode for a port, a statically configured, untagged
VLAN membership may become unavailable while there is a client session
on the port. See also “Tagged VLAN Membership”.
General Operating Rules and Notes
When a port on the switch is configured as either an authenticator or
supplicant and is connected to another device, rebooting the switch
causes a re-authentication of the link.
When a port on the switch is configured as an authenticator, it will
block access to a client that either does not provide the proper
authentication credentials or is not 802.1X-aware. (You can use the
optional 802.1X Open VLAN mode to open a path for downloading
802.1X supplicant software to a client, which enables the client to
initiate the authentication procedure. Refer to “802.1X Open VLAN
Mode” on page 8-21.)
If a port on switch “A” is configured as an 802.1X supplicant and is
connected to a port on another switch, “B”, that is not 802.1X-aware,
access to switch “B” will occur without 802.1X security protection.
You can configure a port as both an 802.1X authenticator and an
802.1X supplicant.
If a port on switch “A” is configured as both an 802.1X authenticator
and supplicant and is connected to a port on another switch, “B”, that
is not 802.1X-aware, access to switch “B” will occur without 802.1X
security protection, but switch “B” will not be allowed access to
switch “A”. This means that traffic on this link between the two
switches will flow from “A” to “B”, but not the reverse.