HP ProCurve 6400cl Series Access Security Manual page 302
Hide thumbs
Also See for ProCurve 6400cl Series:
- Management and configuration manual (508 pages) ,
- Installation and getting started manual (84 pages) ,
- Management manual (664 pages)
Table of Contents
Advertisement
Configuring Port-Based and Client-Based Access Control (802.1X)
802.1X Open VLAN Mode
Condition
Effect of Unauthorized-Client VLAN
session on untagged port VLAN
membership
Effect of Authorized-Client VLAN
session on untagged port VLAN
membership.
Multiple Authenticator Ports Using
the Same Unauthorized-Client and
Authorized-Client VLANs
10-28
Rule
• When an unauthenticated client connects to a port that is already
configured with a static, untagged VLAN, the switch temporarily
moves the port to the Unauthorized-Client VLAN (also untagged).
(While the Unauthorized-Client VLAN is in use, the port does not
access any other VLANs.)
• If the client disconnects, the port leaves the Unauthorized-Client
VLAN and re-acquires membership in all the statically configured
VLANs to which it belongs.
• If the client becomes authenticated, the port leaves the
Unauthenticated-Client VLAN and joins the appropriate VLAN.
(Refer to "VLAN Membership Priorities" on page 10-22.
• In the case of the multiple clients allowed on 5300xl switches
running software release E.09.xx or greater, if an authenticated
client is already using the port for a different VLAN, then any other
unauthenticated clients needing to use the Unauthorized-Client
VLAN are blocked.
• When a client becomes authenticated on a port that is already
configured with a static, untagged VLAN, the switch temporarily
moves the port to the Authorized-Client VLAN (also untagged).
While the Authorized-Client VLAN is in use, the port does not have
access to the statically configured, untagged VLAN.
• When the authenticated client disconnects, the switch removes the
port from the Authorized-Client VLAN and moves it back to the
untagged membership in the statically configured VLAN. (After
client authentication, the port resumes any tagged VLAN
memberships for which it is already configured. For details, refer to
the Note on page 10-23.)
Note: This rule assumes:
• No alternate VLAN has been assigned by a RADIUS server.
• 5300xl Running Software Release E.09.xx or Greater: No other
authenticated clients are already using the port.
You can use the same static VLAN as the Unauthorized-Client VLAN
for all 802.1X authenticator ports configured on the switch. Similarly,
you can use the same static VLAN as the Authorized-Client VLAN for
all 802.1X authenticator ports configured on the switch.
Caution: Do not use the same static VLAN for both the unauthorized
and the Authorized-Client VLAN. Using one VLAN for both creates a
security risk by defeating the isolation of unauthenticated clients.
Advertisement
Table of Contents
