HP 5120 SI Series Security Configuration Manual page 78

Hide thumbs Also See for 5120 SI Series:
Table of Contents

Advertisement

Access control
MAC-based
IMPORTANT:
With 802.1X authentication, a hybrid port is always assigned to a VLAN as an untagged member. After the
assignment, do not re-configure the port as a tagged member in the VLAN.
On a periodic online user re-authentication enabled port, if a user has been online before you enable the
MAC-based VLAN function, the access device does not create a MAC-to-VLAN mapping for the user unless
the user passes re-authentication and the VLAN for the user has changed.
For more information about VLAN configuration and MAC-based VLAN, see the Layer 2
Configuration Guide.
Guest VLAN
You can configure a guest VLAN to accommodate users that have not performed 802.1X authentication
on a port, so they can access a limited set of network resources, such as a software server, to download
anti-virus software and system patches. After a user in the guest VLAN passes 802.1X authentication, it
is removed from the guest VLAN and can access authorized network resources. The way that the network
access device handles VLANs on the port differs by 802.1X access control mode.
1.
On a port that performs port-based access control
Authentication status
No 802.1X user has
performed authentication or
passed authentication within
90 seconds after 802.1X is
enabled
A user in the 802.1X guest
VLAN fails 802.1X
authentication
A user in the 802.1X guest
VLAN passes 802.1X
authentication
On a port that performs MAC-based access control
2.
Authentication status
A user has not passed 802.1X
authentication yet
VLAN manipulation
If the port is a hybrid port with MAC-based VLAN enabled, maps the MAC
address of each user to the VLAN assigned by the authentication server. The
default VLAN of the port does not change. When a user logs off, the
MAC-to-VLAN mapping for the user is removed.
Assigns the VLAN of the first authenticated user to the port as the default
VLAN. If a different VLAN is assigned for a subsequent user, the user cannot
pass the authentication.
VLAN manipulation
Assigns the 802.1X guest VLAN to the port as the default VLAN. All 802.1X
users on this port can access only resources in the guest VLAN.
If no 802.1X guest VLAN is configured, the access device does not perform
any VLAN operation.
If an 802.1X Auth-Fail VLAN (see
Auth-Fail VLAN to the port as the default VLAN. All users on this port can
access only resources in the Auth-Fail VLAN.
If no Auth-Fail VLAN is configured, the default VLAN on the port is still the
802.1X guest VLAN. All users on the port are in the guest VLAN.
Assigns the VLAN specified for the user to the port as the default VLAN,
and removes the port from the 802.1X guest VLAN. After the user logs off,
the user configured default VLAN restores.
If the authentication server assigns no VLAN, the user configured default
VLAN applies. The user and all subsequent 802.1X users are assigned to
the user-configured default VLAN. After the user logs off, the default VLAN
remains unchanged.
VLAN manipulation
Creates a mapping between the MAC address of the user and the 802.1X
guest VLAN. The user can access resources in the guest VLAN.
66
"Auth-Fail
VLAN") is available, assigns the
LAN Switching

Advertisement

Table of Contents
loading

Table of Contents