802.1X Port States; Supported Radius Attributes - HP 438031-B21 - 1:10Gb Ethernet BL-c Switch Application Manual

The Radius server chooses an EAP-supported authentication algorithm to verify the client's identity, and
sends an EAP-Request packet to the client via the switch authenticator. The client then replies to the Radius
server with an EAP-Response containing its credentials.
Upon a successful authentication of the client by the server, the 802.1x-controlled port transitions from
unauthorized to authorized state, and the client is allowed full access to services through the controlled
port. When the client later sends an EAPOL-Logoff message to the switch authenticator, the port transitions
from authorized to unauthorized state.
If a client that does not support 802.1x connects to an 802.1x-controlled port, the switch authenticator
requests the client's identity when it detects a change in the operational state of the port. The client does
not respond to the request, and the port remains in the unauthorized state.
NOTE: When an 802.1x-enabled client connects to a port that is not 802.1x-controlled, the client
initiates the authentication process by sending an EAPOL-Start frame. When no response is
received, the client retransmits the request for a fixed number of times. If no response is received,
the client assumes the port is in authorized state, and begins sending frames, even if the port is
unauthorized.

802.1x port states

The state of the port determines whether the client is granted access to the network, as follows:
Unauthorized—While in this state, the port discards all ingress and egress traffic except EAP
packets.
Authorized—When the client is authenticated successfully, the port transitions to the authorized state
allowing all traffic to and from the client to flow normally.
Force Unauthorized—You can configure this state that denies all access to the port.
Force Authorized—You can configure this state that allows full access to the port.
Use the 802.1x Global Configuration Menu (/cfg/l2/8021x/global) to configure 802.1x
authentication for all ports in the switch. Use the 802.1x Port Menu (/cfg/l2/8021x/port x) to
configure a single port.

Supported RADIUS attributes

The HP 1:10GbE switch 802.1x Authenticator relies on external RADIUS servers for authentication with
EAP. The following table lists the RADIUS attributes that are supported as part of RADIUS-EAP
authentication based on the guidelines specified in Annex D of the 802.1x standard and RFC 3580.
EAP support for RADIUS attributes
Table 9
# Attribute
1 User-Name
4 NAS-IP-Address
5 NAS-Port
Attribute Value
The value of the Type-Data field from the
supplicant's EAP-Response/Identity message.
If the Identity is unknown (i.e. Type-Data field
is zero bytes in length), this attribute will have
the same value as the Calling-Station-Id.
IP address of the authenticator used for
RADIUS communication.
Port number of the authenticator port to which
the supplicant is attached.
Port-based Network Access and traffic control
A-R
1
1
1
A-A A-C A-R
0-1 0 0
0 0 0
0 0 0
48