KB.15.15

ManualsBrandsHP ManualsNetwork HardwareHP 5406R-8XGT/8SFP+ (No PSU) v2 zl2 Switch

331

332

333

334

335

336

337

338

339

340

NOTE: Any port VLAN-ID changes made on 802.1X-aware ports during an 802.1X-authenticated

session do not take effect until the session ends.

With GVRP enabled, a temporary, untagged static VLAN assignment created on a port by 802.1X

authentication is advertised as an existing VLAN. If this temporary VLAN assignment causes the

switch to disable a configured (untagged) static VLAN assignment on the port, then the disabled

VLAN assignment is not advertised. When the 802.1X session ends, the switch:

• Eliminates and ceases to advertise the temporary VLAN assignment.

• Re-activates and resumes advertising the temporarily disabled VLAN assignment.

About 802.1X

General features

802.1X on the HP switches includes the following:

• Switch operation as both an authenticator (for supplicants having a point-to-point connection

to the switch) and as a supplicant for point-to-point connections to other 802.1X-aware switches.

• Authentication of 802.1X access using a RADIUS server and either the EAP or CHAP

protocol.

• Provision for enabling clients that do not have 802.1 supplicant software to use the switch

as a path for downloading the software and initiating the authentication process (802.1X

Open VLAN mode).

• User-Based access control option with support for up to 32 authenticated clients per-port.

• Port-Based access control option allowing authentication by a single client to open the

port. This option does not force a client limit and, on a port opened by an authenticated

client, allows unlimited client access without requiring further authentication.

• Supplicant implementation using CHAP authentication and independent user credentials

on each port.

• The local operator password configured with the password command for management access

to the switch is no longer accepted as an 802.1X authenticator credential. The password

port-access command configures the local operator username and password used as

802.1X authentication credentials for access to the switch. The values configured can be

stored in a configuration file using the include-credentials command.

• On-demand change of a port's configured VLAN membership status to support the current

client session.

• Session accounting with a RADIUS server, including the accounting update interval.

• Use of Show commands to display session counters.

• Support for concurrent use of 802.1X and either Web authentication or MAC authentication

on the same port.

• For unauthenticated clients that do not have the necessary 802.1X supplicant software (or for

other reasons related to unauthenticated clients), there is the option to configure an

Unauthorized-Client VLAN. This mode allows you to assign unauthenticated clients to an

isolated VLAN through which you can provide the necessary supplicant software and/or other

services you want to extend to these clients.

User authentication methods

The switch offers two methods for using 802.1X access control. Generally, the "Port Based" method

supports one 802.1X-authenticated client on a port, which opens the port to an unlimited number

of clients. The "User-Based" method supports up to 32 802.1X-authenticated clients on a port. In

both cases, there are operating details to be aware of that can influence your choice of methods.

Overview 337