Table of Contents
Advertisement
RADIUS Authentication, Authorization, and Accounting
Dynamic Removal of Authentication Limits
Note
6-70
Dynamic Removal of Authentication
Limits
Overview
In some situations, it is desirable to configure RADIUS attributes for down-
stream supplicant devices that allow dynamic removal of the 802.1X, MAC,
and Web authentication limits on the associated port of the authenticator
switch. This eliminates the need to manually reconfigure ports associated with
downstream 802.1X-capable devices, and MAC relay devices such as IP
phones, on the authenticator switches. When the RADIUS authentication ages
out, the authentication limits are dynamically restored. This enhancement
allows a common port policy to be configured on all access ports by creating
new RADIUS HP vendor-specific attributes (VSAs) that will dynamically
override the authentication limits. The changes are always applied to the port
on the authenticator switch associated with the supplicant being authenti-
cated.
All the changes requested by the VSAs must be valid for the switch configura-
tion. For example, if either MAC-based or Web-based port access is configured
while 802.1X port access is in client mode, a RADIUS client with a VSA to
change the 802.1X port access to port-based mode is not allowed. 802.1X in
port-based mode is not allowed with MAC-based or web-based port access
types. However, if the authenticating client has VSAs to disable MAC-based
and Web-based authentication in conjunction with changing 802.1X to port-
based mode, then client authentication is allowed.
Configuring the RADIUS VSAs
Only RADIUS -authenticated port-access clients will be able to dynamically
change the port access settings using the new proprietary RADIUS VSAs. The
settings that can be overridden are:
•
Client limit (address limit with mac-based port access)
•
Disabling the port-access types
•
Setting the port mode in which 802.1X is operating
Hide quick links:
Advertisement
Table of Contents
