Manualshelf

Access Security Guide K/KA/KB.15.15

ManualsBrandsHP ManualsNetwork HardwareHP 5406R-8XGT/8SFP+ (No PSU) v2 zl2 Switch
161162163164165166167168169170
If the VSA client limit decreases the switch configured client limit, all clients except the client that
is overriding the settings is deauthenticated. Only one client session at a time can override the
port-access settings on a port. When the client session is deauthenticated, the port resets itself to
the configured settings. This port reset causes the deauthentication of all clients for the port-access
authentication types that had their settings changed dynamically.
The new VSAs are:
HP-Port-Client-Limit-Dot1x
This VSA temporarily alters the 802.1X authentication client limit to the value contained in the
VSA. Values range from 0 to 32 clients. A zero client limit means this VSA is disabled. This
is an HP proprietary VSA with a value of 10.
HP-Port-Client-Limit-MA
This VSA temporarily alters the MAC authentication client limit to the value contained in the
VSA. Values range from 0 to 256 clients. A zero client limit means this VSA is disabled. This
is an HP proprietary VSA with a value of 11.
HP-Port-Client-Limit-WA
This VSA temporarily alters the web-based authentication client limit to the value contained in
the VSA. Values range from 0 to 256 clients. A zero client limit means this VSA is disabled.
This is an HP proprietary VSA with a value of 12.
HP-Port-Auth-Mode-Dot1x
This VSA temporarily alters the 802.1X authentication mode to be either port-based or
user-based depending on the value in the VSA. A port-based VSA is set with a value of 1; a
user-based VSA is set with a value of 2. This is an HP proprietary VSA with a value of 13.
If an 802.1X port is operating in port-based mode, it is invalid to set the 802.1X client limit using
the HP-Port-Client-Limit VSA.
NOTE: The changing of the client limits for a port using VSAs is temporary. The running
configuration file is not changed and still displays the client limit and address limit settings.
Each authentication type may have a unique value for the client limit. If the value of the VSA is
zero, the authentication type corresponding to that VSA will be disabled.
Settings for these VSAs are in effect for the duration of the authenticated session of the downstream
supplicant switch. If for any reason there is a loss of the session (link loss between authenticator
switch and supplicant switch, or authentication failure during reauthentication), the originally
configured 802.1X and MAC authentication limits are restored.
Enhanced commands
The following commands have the server-group option. If no server-group is specified, the default
RADIUS group is used. The server group must have already been configured.
NOTE: The last RADIUS server in a server group cannot be deleted if an authentication or
accounting method is using the server group.
Syntax
aaa authentication <console | telenet | ssh | web><enable |
login| local |radius {server-group<group-name> | local |
none | authorized}>>
Configures the primary password authentication method for console, Telnet, SSH,
and/or the WebAgent.
Configuring 165