HP 6600 Security Configuration Manual page 98
Hide thumbs
Also See for 6600:
- Command reference manual (286 pages) ,
- Configuration manual (236 pages) ,
- Installation and getting started manual (103 pages)
Table of Contents
Advertisement
Access control
MAC-based
With 802.1X authentication, a hybrid port is always assigned to a VLAN as an untagged member. After
the assignment, do not re-configure the port as a tagged member in the VLAN.
On a periodic online user re-authentication enabled port, if a user has been online before you enable the
MAC-based VLAN function, the access device does not create a MAC-to-VLAN mapping for the user
unless the user passes re-authentication and the VLAN for the user has changed.
For more information about VLAN configuration and MAC-based VLAN, see Layer 2—LAN Switching
Configuration Guide.
Guest VLAN
You can configure a guest VLAN on a port to accommodate users that have not performed 802.1X
authentication, so they can access a limited set of network resources, such as a software server, to
download anti-virus software and system patches. Once a user in the guest VLAN passes 802.1X
authentication, it is removed from the guest VLAN and can access authorized network resources.
Guest VLAN is supported on ports that perform port-based access control. The following describes way
that the network access device handles VLANs on a port that performs port-based access control.
Authentication status
No 802.1X user has
performed authentication
within 90 seconds after
802.1X is enabled
A user in the 802.1X guest
VLAN fails 802.1X
authentication
A user in the 802.1X guest
VLAN passes 802.1X
authentication
The network device assigns a hybrid port to an 802.1X guest VLAN as an untagged member.
For more information about VLAN configuration, see Layer 2—LAN Switching Configuration Guide.
VLAN manipulation
•
If the port is a hybrid port with MAC-based VLAN enabled, maps the MAC address
of each user to the VLAN assigned by the authentication server. The PVID of the port
does not change. When a user logs off, the MAC-to-VLAN mapping for the user is
removed.
•
If the port is an access, trunk, or MAC-based VLAN disabled hybrid port, assigns
the first authenticated user's VLAN to the port as the PVID. If a different VLAN is
assigned to a subsequent user, the user cannot pass the authentication. To avoid the
authentication failure of subsequent users, be sure to assign the same VLAN to all
802.1X users on these ports.
VLAN manipulation
Assigns the 802.1X guest VLAN to the port as the PVID. All 802.1X users on
this port can access only resources in the guest VLAN.
If no 802.1X guest VLAN is configured, the access device does not perform
any VLAN operation.
If an 802.1X Auth-Fail VLAN (see
Auth-Fail VLAN to the port as the PVID. All users on this port can access only
resources in the Auth-Fail VLAN.
If no Auth-Fail VLAN is configured, the PVID on the port is still the 802.1X
guest VLAN. All users on the port are in the guest VLAN.
•
Assigns the VLAN specified for the user to the port as the PVID, and
removes the port from the 802.1X guest VLAN. After the user logs off, the
user configured PVID restores.
•
If the authentication server assigns no VLAN, the user-configured PVID
applies. The user and all subsequent 802.1X users are assigned to the
user-configured port VLAN. After the user logs off, the port VLAN remains
unchanged.
84
"Auth-Fail
VLAN") is available, assigns the
Advertisement
Table of Contents
Troubleshooting
