KB.15.15

Figure 146 Accounting in common mode (same session ID throughout)

Dynamic removal of authentication limits

Overview

In some situations, it is desirable to configure RADIUS attributes for downstream supplicant devices

that allow dynamic removal of the 802.1X, MAC, and web-based authentication limits on the

associated port of the authenticator switch. This eliminates the need to manually reconfigure ports

associated with downstream 802.1X-capable devices, and MAC relay devices such as IP phones,

on the authenticator switches. When the RADIUS authentication ages out, the authentication limits

are dynamically restored. This enhancement allows a common port policy to be configured on all

access ports by creating new RADIUS HP vendor-specific attributes (VSAs) that will dynamically

override the authentication limits. The changes are always applied to the port on the authenticator

switch associated with the supplicant being authenticated.

NOTE: All the changes requested by the VSAs must be valid for the switch configuration. For

example, if either MAC or web-based port access is configured while 802.1X port access is in

client mode, a RADIUS client with a VSA to change the 802.1X port access to port-based mode

is not allowed. 802.1X in port-based mode is not allowed with MAC or web-based port access

types. However, if the authenticating client has VSAs to disable MAC and web-based authentication

in conjunction with changing 802.1X to port-based mode, then client authentication is allowed.

Overview

RADIUS (Remote Authentication Dial-In User Service) enables you to use up to fifteen servers and

maintain separate authentication and accounting for each RADIUS server employed.

Overview 189