HP (Hewlett-Packard) 2650 (J4899A/B) Switch User Manual


 
3-3
Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches
Overview
MAC Authentication (MAC-Auth). This method grants access to a secure
network by authenticating devices for access to the network. When a device
connects to the switch, either by direct link or through the network, the switch
forwards the device’s MAC address to the RADIUS server for authentication.
The RADIUS server uses the device MAC address as the username and
password, and grants or denies network access in the same way that it does
for clients capable of interactive logons. (The process does not use either a
client device configuration or a logon session.) MAC authentication is well-
suited for clients that are not capable of providing interactive logons, such as
telephones, printers, and wireless access points. Also, because most RADIUS
servers allow for authentication to depend on the source switch and port
through which the client connects to the network, you can use MAC-Auth to
“lock” a particular device to a specific switch and port.
Note You can configure only one authentication type on a port. This means that Web
authentication, MAC authentication, 802.1X, MAC lockdown, MAC lockout,
and port-security are mutually exclusive on a given port. Also, LACP must be
disabled on ports configured for any of these authentication methods.
Client Options
Web-Auth and MAC-Auth provide a port-based solution in which a port can
belong to one, untagged VLAN at a time. However, where all clients can
operate in the same VLAN, the switch allows up to 32 simultaneous clients per
port. (In applications where you want the switch to simultaneously support
multiple client sessions in different VLANs, design your system so that such
clients will use different switch ports.)
In the default configuration, the switch blocks access to clients that the
RADIUS server does not authenticate. However, you can configure an individ-
ual port to provide limited services to unauthorized clients by joining a
specified “unauthorized” VLAN during sessions with such clients. The unau-
thorized VLAN assignment can be the same for all ports, or different, depend-
ing on the services and access you plan to allow for unauthenticated clients.
Access to an optional, unauthorized VID is configured in the switch when Web
and MAC Authentication are configured on a port.