HP Q.11.XX Manual page 229

Procurve 2510 series switches
Table of Contents

Advertisement

Condition
IP Addressing for a Client Connected
to a Port Configured for 802.x Open
VLAN Mode
802.1X Supplicant Software for a
Client Connected to a Port Configured
for 802.1X Open VLAN Mode
Switch with a Port Configured To
Allow Multiple Authorized-Client
Sessions
Note: Limitation on Using an
Unauthorized-Client VLAN on an
802.1X Port Configured to Allow
Multiple-Client Access
Configuring Port-Based and Client-Based Access Control (802.1X)
Rule
A client can either acquire an IP address from a DHCP server or have
a preconfigured, manual IP address before connecting to the switch.
A friendly client, without 802.1X supplicant software, connecting to an
authenticator port must be able to download this software from the
Unauthorized-Client VLAN before authentication can begin.
When a new client is authenticated on a given port:
• If no other clients are authenticated on that port, then the port joins
one VLAN in the following order of precedence:
a.
A RADIUS-assigned VLAN, if configured.
b.
An Authenticated-Client VLAN, if configured.
c.
A static, port-based VLAN to which the port belongs as an
untagged member.
d.
Any VLAN(s) to which the port is configured as a tagged
member (provided that the client can operate in that VLAN).
• If another client is already authenticated on the port, then the port
is already assigned to a VLAN for the previously-existing client
session, and the new client must operate in this same VLAN,
regardless of other factors. (This means that a client without 802.1X
client authentication software cannot access a configured,
Unauthenticated-Client VLAN if another, authenticated client is
already using the port.)
You can optionally enable switches to allow up to 2 clients per-port.
The Unauthorized-Client VLAN feature can operate on an 802.1X-
configured port regardless of how many clients the port is configured
to support. However, all clients on the same port must operate through
the same untagged VLAN membership. This means that any client
accessing a given port must be able to authenticate and operate on
the same VLAN as any other previously authenticated clients that are
currently using the port. Thus, an Unauthorized-Client VLAN
configured on a switch port that allows multiple 802.1X clients cannot
be used if there is already an authenticated client using the port on
another VLAN. Also, a client using the Unauthenticated-Client VLAN
will be blocked when another client becomes authenticated on the
port. For this reason, the best utilization of the Unauthorized-Client
VLAN feature is in instances where only one client is allowed per-port.
Otherwise, unauthenticated clients are subject to being blocked at
any time by authenticated clients using a different VLAN. (Using the
same VLAN for authenticated and unauthenticated clients can create
a security risk and is not recommended.)
802.1X Open VLAN Mode
8-33

Hide quick links:

Advertisement

Table of Contents
loading

This manual is also suitable for:

U.11.xxProcurve 2510-24Procurve 2510-48

Table of Contents