HP ProCurve 9304M Security Manual page 127

If one of the attributes in the Access-Accept message specifies a VLAN identifier, and this VLAN is available on
the HP device, the port is moved from its default VLAN to the specified VLAN.
To enable dynamic VLAN assignment for authenticated MAC addresses, you must add the following attributes to
the profile for the MAC address on the RADIUS server, then enable dynamic VLAN assignment on multi-device
port authentication-enabled interfaces. See "Dynamic VLAN Assignment" on page 6-2 for a list of the attributes
that must be set on the RADIUS server
To enable dynamic VLAN assignment on a multi-device port authentication-enabled interface, enter commands
such as the following:
ProCurveRS(config)# interface e 3/1
ProCurveRS(config-if-e100-3/1)# mac-authentication enable-dynamic-vlan
Syntax: [no] mac-authentication enable-dynamic-vlan
If a previous authentication attempt for a MAC address failed, and as a result the port was placed in the restricted
VLAN, but a subsequent authentication attempt was successful, the RADIUS Access-Accept message may
specify a VLAN for the port. By default, the HP device moves the port out of the restricted VLAN and into the
RADIUS-specified VLAN. You can optionally configure the device to ignore the RADIUS-specified VLAN in the
RADIUS Access-Accept message, and leave the port in the restricted VLAN.
To do this, enter the following command:
ProCurveRS(config)# mac-authentication no-override-restrict-vlan
Syntax: [no] mac-authentication no-override-restrict-vlan
Notes:
• For untagged ports, if the VLAN ID provided by the RADIUS server is valid, then the port is removed from its
current VLAN and moved to the RADIUS-specified VLAN as an untagged port.
• For tagged ports, if the VLAN ID provided by the RADIUS server is valid, then the port is added to the
RADIUS-specified VLAN as a tagged port.
• If you configure dynamic VLAN assignment on a multi-device port authentication enabled interface, and the
Access-Accept message returned by the RADIUS server does not contain a Tunnel-Private-Group-ID
attribute, then it is considered an authentication failure, and the configured authentication failure action is
performed for the MAC address.
• If the <vlan-name> string does not match either the name or the ID of a VLAN configured on the device, then
it is considered an authentication failure, and the configured authentication failure action is performed for the
MAC address.
• For tagged or dual-mode ports, if the VLAN ID provided by the RADIUS server does not match the VLAN ID
in the tagged packet that contains the authenticated MAC address as its source address, then it is considered
an authentication failure, and the configured authentication failure action is performed for the MAC address.
• If an untagged port had previously been assigned to a VLAN though dynamic VLAN assignment, and then
another MAC address is authenticated on the same port, but the RADIUS Access-Accept message for the
second MAC address specifies a different VLAN, then it is considered an authentication failure for the second
MAC address, and the configured authentication failure action is performed. Note that this applies only if the
first MAC address has not yet aged out. If the first MAC address has aged out, then dynamic VLAN
assignment would work as expected for the second MAC address.
Specifying to Which VLAN a Port Is Moved After Its RADIUS-Specified VLAN
Assignment Expires
When a port is dynamically assigned to a VLAN through the authentication of a MAC address, and the MAC
session for that address is deleted on the HP device, then by default the port is removed from its RADIUS­
assigned VLAN and placed back in the VLAN where it was originally assigned.
A port can be removed from its RADIUS-assigned VLAN when any of the following occur:
• The link goes down for the port
June 2005
Configuring Multi-Device Port Authentication
6 - 5