HP (Hewlett-Packard) 2650 (J4899A/B) Switch User Manual


 
8-26
Configuring Port-Based Access Control (802.1X)
802.1X Open VLAN Mode
Note: If you use the same VLAN as the Unauthorized-Client VLAN for all authenti-
cator ports, unauthenticated clients on different ports can communicate with
each other. However, in this case, you can improve security between authen-
ticator ports by using the switch’s Source-Port filter feature. For example, if
you are using ports B1 and B2 as authenticator ports on the same Unauthor-
ized-Client VLAN, you can configure a Source-Port filter on B1 to drop all
packets from B2 and the reverse.
Effect of Authorized-Client VLAN
session on untagged port VLAN
membership.
When a client becomes authenticated on a port that is already
configured with a static, untagged VLAN, the switch temporarily
moves the port to the Authorized-Client VLAN (also untagged).
While the Authorized-Client VLAN is in use, the port does not have
access to the statically configured, untagged VLAN.
When the authenticated client disconnects, the switch removes the
port from the Authorized-Client VLAN and moves it back to the
untagged membership in the statically configured VLAN. (After
client authentication, the port resumes any tagged VLAN
memberships for which it is already configured. For details, refer to
the Note on page 8-22.)
Multiple Authenticator Ports Using
the Same Unauthorized-Client and
Authorized-Client VLANs
You can use the same static VLAN as the Unauthorized-Client VLAN
for all 802.1X authenticator ports configured on the switch. Similarly,
you can use the same static VLAN as the Authorized-Client VLAN for
all 802.1X authenticator ports configured on the switch.
Caution: Do not use the same static VLAN for both the unauthorized
and the Authorized-Client VLAN. Using one VLAN for both creates a
security risk by defeating the isolation of unauthenticated clients.
Effect of Failed Client Authentication
Attempt
When there is an Unauthorized-Client VLAN configured on an 802.1X
authenticator port, an unauthorized client connected to the port has
access only to the network resources belonging to the Unauthorized-
Client VLAN. This access continues until the client disconnects from
the port. (If there is no Unauthorized-Client VLAN configured on the
authenticator port, the port simply blocks access for any unauthorized
client that cannot be authenticated.)
IP Addressing for a Client Connected
to a Port Configured for 802.x Open
VLAN Mode
A client can either acquire an IP address from a DHCP server or have
a preconfigured, manual IP address before connecting to the switch.
802.1X Supplicant Software for a
Client Connected to a Port Configured
for 802.1X Open VLAN Mode
A friendly client, without 802.1X supplicant software, connecting to an
authenticator port must be able to download this software from the
Unauthorized-Client VLAN before authentication can begin.
Condition Rule