HP ProCurve 9304M Security Manual page 91

Routing switches

Hide thumbs Also See for ProCurve 9304M:

Management and configuration manual (690 pages)

Installation and configuration manual (504 pages)

Installation and getting started manual (348 pages)

Table Of Contents

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

page of 172

/ 172
Contents
Table of Contents
Bookmarks

Table of Contents

Figure 4.4

Message exchange between Client/Supplicant, Authenticator, and Authentication Server

Client/Supplicant

In this example, the Authenticator (the HP device) initiates communication with an 802.1X-enabled Client. When

the Client responds, it is prompted for a username (255 characters maximum) and password. The Authenticator

passes this information to the Authentication Server, which determines whether the Client can access services

provided by the Authenticator. When the Client is successfully authenticated by the RADIUS server, the port is

authorized. When the Client logs off, the port becomes unauthorized again.

Starting in release 07.6.04, HP's 802.1X implementation supports dynamic VLAN assignment. If one of the

attributes in the Access-Accept message sent by the RADIUS server specifies a VLAN identifier, and this VLAN is

available on the HP device, the client's port is moved from its default VLAN to the specified VLAN. When the client

disconnects from the network, the port is placed back in its default VLAN. See "Configuring Dynamic VLAN

Assignment for 802.1X Ports" on page 4-16 for more information.

If a Client does not support 802.1X, authentication cannot take place. The HP device sends EAP-Request/Identity

frames to the Client, but the Client does not respond to them.

When a Client that supports 802.1X attempts to gain access through a non-802.1X-enabled port, it sends an EAP

start frame to the HP device. When the device does not respond, the Client considers the port to be authorized,

and starts sending normal traffic.

HP devices support Identity and MD5-challenge request types in EAP Request/Response messages. However,

devices running software release 07.8.00 has support for the following 802.1X authentication challenge types:

•

EAP-TLS (RFC 2716) – EAP Transport Level Security (TLS) provides strong security by requiring both client

and authentication server to be identified and validated through the use of public key infrastructure (PKI)

digital certificates. EAP-TLS establishes a tunnel between the client and the authentication server to protect

messages from unauthorized users' eavesdropping activities. Since EAP-TLS requires PKI digital certificates

June 2005

HP Device

(Authenticator)

Configuring 802.1X Port Security

RADIUS Server

(Authentication Server)

4 - 5

Table of Contents

This manual is also suitable for:

J4139aProcurve 9308mJ4874a Procurve 9408sl J4138a J8680a ... Show all

HP ProCurve 9304M Security Manual page 91

Related Manuals for HP ProCurve 9304M

Related Products for HP ProCurve 9304M

This manual is also suitable for:

Table of Contents