Configuration Prerequisites; Configuration Procedure; Specifying Supported Domain Name Delimiters - HP 10500 Series Configuration Manual
Security configuration guide
Hide thumbs
Also See for 10500 Series:
- Security configuration manual (596 pages) ,
- Configuration manual (512 pages) ,
- Specifications (42 pages)
Table of Contents
Advertisement
If 802.1X clients in your network cannot trigger an immediate DHCP-assigned IP address renewal
•
in response to a VLAN change, the 802.1X users cannot access authorized network resources
immediately after an 802.1X authentication is complete. As a solution, remind the 802.1X users to
release their IP addresses or repair their network connections for a DHCP reassignment after
802.1X authentication is complete. The HP iNode client does not have this problem.
Configuration prerequisites
•
Create the VLAN to be specified as a critical VLAN.
If the 802.1X-enabled port performs port-based access control, enable 802.1X multicast trigger
•
(dot1x multicast-trigger).
If the 802.1X-enabled port performs MAC-based access control, configure the port as a hybrid port,
•
enable MAC-based VLAN on the port, and assign the port to the Auth-Fail VLAN as an untagged
member. For more information about the MAC-based VLAN function, see Layer 2—LAN Switching
Configuration Guide.
Configuration procedure
To configure an 802.1X critical VLAN:
Step
1.
Enter system view.
2.
Enter Layer 2 Ethernet
interface view.
3.
Configure an 802.1X critical
VLAN on the port.
4.
Configure the port to trigger
802.1X authentication on
detection of a reachable
authentication server for users
in the critical VLAN.
Specifying supported domain name delimiters
By default, the access device supports the at sign (@) as the delimiter. You can also configure the access
device to accommodate 802.1X users who use other domain name delimiters.
The configurable delimiters include the at sign (@), back slash (\), and forward slash (/).
If an 802.1X username string contains multiple configured delimiters, the leftmost delimiter is the domain
name delimiter. For example, if you configure @, /, and \ as delimiters, the domain name delimiter for
the username string 123/22\@abc is the forward slash (/).
If a username string contains none of the delimiters, the access device authenticates the user in the
mandatory or default ISP domain. The access selects a domain delimiter from the delimiter set in this
order: @, /, and \.
To specify a set of domain name delimiters:
Command
system-view
interface interface-type
interface-number
dot1x critical vlan vlan-id
dot1x critical recovery-action
reinitialize
97
Remarks
N/A
N/A
By default, no critical VLAN is
configured.
Optional.
By default, when a reachable
RADIUS server is detected, the
system removes the port or 802.1X
users from the critical VLAN
without triggering authentication.
Advertisement
Table of Contents
Troubleshooting
