HP ProCurve 2810 Series Access Security Manual page 218
Hide thumbs
Also See for ProCurve 2810 Series:
- Management and configuration manual (420 pages) ,
- Quick reference manual (44 pages) ,
- Supplementary manual (2 pages)
Table of Contents
Advertisement
Configuring Port-Based and Client-Based Access Control (802.1X)
802.1X Open VLAN Mode
Condition
Temporary VLAN Membership During
a Client Session
Effect of Unauthorized-Client VLAN
session on untagged port VLAN
membership
Effect of Authorized-Client VLAN
session on untagged port VLAN
membership.
Multiple Authenticator Ports Using
the Same Unauthorized-Client and
Authorized-Client VLANs
Effect of Failed Client Authentication
Attempt
8-32
Rule
• Port membership in a VLAN assigned to operate as the
Unauthorized-Client VLAN is temporary, and ends when the client
receives authentication or the client disconnects from the port,
whichever is first.
• Port membership in a VLAN assigned to operate as the Authorized-
Client VLAN is also temporary, and ends when the client
disconnects from the port.If a VLAN assignment from a RADIUS
server is used instead, the same rule applies.
• When an unauthenticated client connects to a port that is already
configured with a static, untagged VLAN, the switch temporarily
moves the port to the Unauthorized-Client VLAN (also untagged).
(While the Unauthorized-Client VLAN is in use, the port does not
access the static, untagged VLAN.)
• When the client either becomes authenticated or disconnects, the
port leaves the Unauthorized-Client VLAN and reacquires its
untagged membership in the statically configured VLAN.
• When a client becomes authenticated on a port that is already
configured with a static, untagged VLAN, the switch temporarily
moves the port to the Authorized-Client VLAN (also untagged).
While the Authorized-Client VLAN is in use, the port does not have
access to the statically configured, untagged VLAN.
• When the authenticated client disconnects, the switch removes the
port from the Authorized-Client VLAN and moves it back to the
untagged membership in the statically configured VLAN. (After
client authentication, the port resumes any tagged VLAN
memberships for which it is already configured. For details, refer to
the Note on page 8-28.)
You can use the same static VLAN as the Unauthorized-Client VLAN
for all 802.1X authenticator ports configured on the switch. Similarly,
you can use the same static VLAN as the Authorized-Client VLAN for
all 802.1X authenticator ports configured on the switch.
Caution: Do not use the same static VLAN for both the unauthorized
and the Authorized-Client VLAN. Using one VLAN for both creates a
security risk by defeating the isolation of unauthenticated clients.
When there is an Unauthorized-Client VLAN configured on an 802.1X
authenticator port, an unauthorized client connected to the port has
access only to the network resources belonging to the Unauthorized-
Client VLAN. This access continues until the client disconnects from
the port. (If there is no Unauthorized-Client VLAN configured on the
authenticator port, the port simply blocks access for any unauthorized
client that cannot be authenticated.)
Hide quick links:
Advertisement
Table of Contents
