Extended Functions - HP 5120 SI Series Security Configuration Manual

Upon receiving an ARP or DHCP broadcast packet from a terminal for the first time, the access port
•
performs MAC authentication on the terminal. If the terminal passes MAC authentication, no other
types of authentication will be performed for it. If it fails, 802.1X or portal authentication can be
triggered.
• Upon receiving an EAP packet from an 802.1X client or a thirty-party client, the access port
performs only 802.1X authentication on the terminal.
Upon receiving an HTTP packet from a terminal, the access port performs portal authentication on
•
the terminal.
If a terminal triggers different types of authentication, the authentications are processed at the same time.
A failure of one type of authentication does not affect the others. When a terminal passes one type of
authentication, the other types of authentication being performed are terminated. Then, whether the
other types of authentication can be triggered varies:
If a terminal passes 802.1X authentication or portal authentication, no other types of authentication
•
will be triggered for the terminal.
If the terminal passes MAC authentication, no portal authentication can be triggered for the
•
terminal, but 802.1X authentication can be triggered. When the terminal passes 802.1X
authentication, the 802.1X authentication information will overwrite the MAC authentication
information for the terminal.

Extended functions

A port enabled with the three types of authentication also supports the following extended functions.
VLAN assignment
After a terminal passes authentication, the authentication server assigns a VLAN to the access port for the
access terminal. The terminal can then access the network resources in the server-assigned VLAN.
Auth-Fail VLAN or MAC authentication guest VLAN
After a terminal fails authentication, the access port:
Adds the terminal to an Auth-Fail VLAN, if it uses 802.1X or portal authentication service.
•
Adds the terminal to a MAC authentication guest VLAN, if it uses MAC authentication service.
•
A terminal may undergo all three types of authentication. If it fails to pass all types of authentication, the
access port adds the terminal to the 802.1X Auth-Fail VLAN.
Detection of online terminals
You can enable an online detection timer to detect online portal clients. The timer defaults to 5
•
minutes, and is not configurable.
You can enable the online handshake or periodic online user re-authentication function to detect
•
online 802.1X clients at a configurable interval.
You can enable an offline detection timer to detect online MAC authentication terminals at a
•
configurable interval.
NOTE:
For more information about the extended functions, see the chapters "802.1X configuration," "MAC
authentication configuration," and "Portal configuration."
162