HP ProCurve 9304M Security Manual page 95

Dynamic VLAN assignment is supported in 802.1X multiple-host configurations. The following considerations
apply when a Client in a 802.1X multiple-host configuration is successfully authenticated, and the RADIUS
Access-Accept message specifies a VLAN for the port:
• If the port is not already a member of a RADIUS-specified VLAN, and the RADIUS Access-Accept message
specifies the name or ID of a valid VLAN on the HP device, then the port is placed in that VLAN.
• If the port is already a member of a RADIUS-specified VLAN, and the RADIUS Access-Accept message
specifies the name or ID of a different VLAN, then it is considered an authentication failure. The port's VLAN
membership is not changed.
• If the port is already a member of a RADIUS-specified VLAN, and the RADIUS Access-Accept message
specifies the name or ID of that same VLAN, then traffic from the Client is forwarded normally.
• If the RADIUS Access-Accept message specifies the name or ID of a VLAN that does not exist on the HP
device, then it is considered an authentication failure.
• If the port is a tagged or dual-mode port, and the RADIUS Access-Accept message specifies the name or ID
of a valid VLAN on the HP device, then the port is placed in that VLAN. If the port is already a member of the
RADIUS-specified VLAN, no further action is taken. Note that the Client's dot1x-mac-session is set to
"access-is-allowed" for the RADIUS-specified VLAN only. If traffic from the Client's MAC address is received
on any other VLAN, it is dropped.
• If the RADIUS Access-Accept message does not contain any VLAN information, the Client's dot1x-mac-
session is set to "access-is-allowed". If the port is already in a RADIUS-specified VLAN, it remains in that
VLAN.
802.1X Port Security and sFlow
sFlow is a system for observing traffic flow patterns and quantities within and among a set of Routing Switches.
sFlow works by taking periodic samples of network data and exporting this information to a collector.
When you enable sFlow forwarding on an 802.1X-enabled interface, the samples taken from the interface include
the user name string at the inbound and/or outbound port, if that information is available.
For more information on sFlow, see the "sFlow" section in the "Remote Network Monitoring" chapter of the
Advanced Configuration and Management Guide for ProCurve 9300/9400 Series Routing Switches.
Configuring 802.1X Port Security
Configuring 802.1X port security on an HP device consists of the following tasks:
1. Configuring the HP device's interaction with the Authentication Server:
• "Configuring an Authentication Method List for 802.1X" on page 4-10
• "Setting RADIUS Parameters" on page 4-10
• "Configuring Dynamic VLAN Assignment for 802.1X Ports" on page 4-16 (optional)
2. Configuring the HP device's role as the Authenticator:
• "Enabling 802.1X Port Security" on page 4-10
• "Initializing 802.1X on a Port" on page 4-14 (optional)
3. Configuring the HP device's interaction with Clients:
• "Configuring Periodic Re-Authentication" on page 4-12 (optional)
• "Re-Authenticating a Port Manually" on page 4-12 (optional)
• "Setting the Quiet Period" on page 4-12 (optional)
• "Setting the Interval for Retransmission of EAP-Request/Identity Frames" on page 4-12 (optional)
• "Specifying the Number of EAP-Request/Identity Frame Retransmissions" on page 4-13 (optional)
June 2005
Configuring 802.1X Port Security
4 - 9