HP implementation of 802.1X
This chapter describes how to configure 802.1X on an HP device.
Access control methods
HP implements port-based access control as defined in the 802.1X protocol, and extends the protocol to
support MAC-based access control.
With port-based access control, once an 802.1X user passes authentication on a port, any subsequent
user can access the network through the port without authentication. When the authenticated user logs
off, all other users are logged off.
With MAC-based access control, each user is separately authenticated on a port. When a user logs
off, no other online users are affected.
Using 802.1X authentication with other features
You can configure the authentication server to assign a VLAN for an 802.1X user that has passed
authentication. The way that the network access device handles VLANs on an 802.1X-enabled port differs
by 802.1X access control mode.
With 802.1X authentication, a hybrid port is always assigned to a VLAN as an untagged member. After the
assignment, do not re-configure the port as a tagged member in the VLAN.
On a periodic online user re-authentication enabled port, if a user has been online before you enable the
MAC-based VLAN function, the access device does not create a MAC-to-VLAN mapping for the user unless
the user passes re-authentication and the VLAN for the user has changed.
Assigns the VLAN to the port as the default VLAN. All subsequent 802.1X users can
access the default VLAN without authentication.
When the user logs off, the previous default VLAN restores, and all other online users
are logged off.
If the port is a hybrid port with MAC-based VLAN enabled, maps the MAC address
of each user to the VLAN assigned by the authentication server. The default VLAN
of the port does not change. When a user logs off, the MAC-to-VLAN mapping for
the user is removed.
If the port is an access, trunk, or MAC-based VLAN disabled hybrid port, assigns
the first authenticated user's VLAN to the port as the default VLAN. If a different
VLAN is assigned for a subsequent user, the user cannot pass the authentication.