HP ProCurve 2910al Access Security Manual page 453
Hide thumbs
Also See for ProCurve 2910al:
- Configuration manual (194 pages) ,
- Manual (126 pages) ,
- Installation and getting started manual (114 pages)
Table of Contents
Advertisement
If a port on switch "A" is configured as an 802.1X supplicant and is
■
connected to a port on another switch, "B", that is not 802.1X-aware,
access to switch "B" will occur without 802.1X security protection.
■
On a port configured for 802.1X with RADIUS authentication, if the
RADIUS server specifies a VLAN for the supplicant and the port is a trunk
member, the port will be blocked. If the port is later removed from the
trunk, the port will allow authentication of the supplicant. Similarly, if the
supplicant is authenticated and later the port becomes a trunk member,
the port will be blocked. If the port is then removed from the trunk, it will
allow the supplicant to re-authenticate.
If a client already has access to a switch port when you configure the port
■
for 802.1X authenticator operation, the port will block the client from
further network access until it can be authenticated.
A port can be configured as an authenticator or an 802.1X supplicant, or
■
both. Some configuration instances block traffic flow or allow traffic to
flow without authentication. (See "Configuring Switch Ports To Operate
As Supplicants for 802.1X Connections to Other Switches" on page 12-49).
■
To help maintain security, 802.1X and LACP cannot both be enabled on
the same port. If you try to configure 802.1X on a port already configured
for LACP (or the reverse) you will see a message similar to the following:
Error configuring port X: LACP and 802.1X cannot be run together.
When spanning tree is enabled on a switch that uses 802.1X, Web authen
■
tication, or MAC authentication, loops may go undetected. For example,
spanning tree packets that are looped back to an edge port will not be
processed because they have a different broadcast/multicast MAC
address from the client-authenticated MAC address. To ensure that client-
authenticated edge ports get blocked when loops occur, you should
enable loop protection on those ports. For more information, see "Loop
Protection" in the chapter titled "Multiple Instance Spanning-Tree Opera
tion" in the Advanced Traffic Management Guide.
Applying Web Authentication or MAC Authentication Concurrently
with Port-Based 802.1X Authentication: While 802.1X port-based access
control can operate concurrently with Web Authentication or MAC Authenti
cation, port-based access control is subordinate to Web-Auth and MAC-Auth
operation. If 802.1X operates in port-based mode and MAC or Web authenti
cation is enabled on the same port, any 802.1X authentication has no effect on
the ability of a client to access the controlled port. That is, the client's access
will be denied until the client authenticates through Web-Auth or MAC-Auth
on the port. Note also that a client authenticating with port-based 802.1X does
not open the port in the same way that it would if Web-Auth or MAC-Auth were
Configuring Port-Based and User-Based Access Control (802.1X)
General Operating Rules and Notes
12-13
Hide quick links:
Advertisement
Table of Contents
