Using 802.1X Authentication With Other Features; Acl Assignment; Ead Assistant - HP FlexNetwork 10500 Series Security Configuration Manual
Hide thumbs
Also See for FlexNetwork 10500 Series:
- Configuration manual (512 pages) ,
- Specifications (42 pages) ,
- Datasheet (20 pages)
Table of Contents
Advertisement
Authentication status
A user in the 802.1X critical VLAN passes
802.1X authentication.
A user in the 802.1X guest VLAN fails
authentication because all the RADIUS
servers are unreachable.
A user in the 802.1X Auth-Fail VLAN fails
authentication because all the RADIUS
servers are unreachable.
For the 802.1X critical VLAN feature to take effect on a port that performs MAC-based access
control, make sure the following requirements are met:
The port is a hybrid port.
MAC-based VLAN is enabled on the port.
The network device assigns a hybrid port to an 802.1X critical VLAN as an untagged member.
For more information about VLAN configuration and MAC-based VLANs, see Layer 2—LAN
Switching Configuration Guide.
When a reachable RADIUS server is detected, the device performs the following operations:
If MAC-based access control is used, the device removes 802.1X users from the critical
VLAN. The port sends a unicast Identity EAP/Request to these users to trigger
authentication.
If port-based access control is used, the device removes the port from the critical VLAN.
The port sends a multicast Identity EAP/Request to all 802.1X users on the port to trigger
authentication.
Using 802.1X authentication with other features
ACL assignment
You can specify an ACL for an 802.1X user to control the user's access to network resources. After
the user passes 802.1X authentication, the authentication server assigns the ACL to the access port
to filter traffic from this user. The authentication server can be the local access device or a RADIUS
server. In either case, you must configure the ACL on the access device. To change the access
control criteria for the user, you can use one of the following methods:
•
Modify ACL rules on the access device.
•
Specify another authorization ACL on the authentication server.
For more information about ACLs, see ACL and QoS Configuration Guide.
EAD assistant
Endpoint Admission Defense (EAD) is an integrated endpoint access control solution to improve the
threat defensive capability of a network. The solution enables the security client, security policy
server, access device, and third-party server to operate together. If a terminal device seeks to access
an EAD network, it must have an EAD client, which performs 802.1X authentication.
VLAN manipulation
The device remaps the MAC address of the user to the
authorization VLAN.
If the authentication server (either the local access
device or a RADIUS server) does not authorize a
VLAN to the user, the device remaps the MAC address
of the user to the initial PVID on the port.
The device remaps the MAC address of the user to the
802.1X critical VLAN. The user can access only
resources in the 802.1X critical VLAN.
The user remains in the 802.1X Auth-Fail VLAN.
82
Advertisement
Table of Contents
Troubleshooting
