Access Security Guide K/KA/KB.15.15
NOTE: Any port VLAN-ID changes made on 802.1X-aware ports during an 802.1X-authenticated
session do not take effect until the session ends.
With GVRP enabled, a temporary, untagged static VLAN assignment created on a port by 802.1X
authentication is advertised as an existing VLAN. If this temporary VLAN assignment causes the
switch to disable a configured (untagged) static VLAN assignment on the port, then the disabled
VLAN assignment is not advertised. When the 802.1X session ends, the switch:
• Eliminates and ceases to advertise the temporary VLAN assignment.
• Re-activates and resumes advertising the temporarily disabled VLAN assignment.
About 802.1X
General features
802.1X on the HP switches includes the following:
• Switch operation as both an authenticator (for supplicants having a point-to-point connection
to the switch) and as a supplicant for point-to-point connections to other 802.1X-aware switches.
• Authentication of 802.1X access using a RADIUS server and either the EAP or CHAP
protocol.
• Provision for enabling clients that do not have 802.1 supplicant software to use the switch
as a path for downloading the software and initiating the authentication process (802.1X
Open VLAN mode).
• User-Based access control option with support for up to 32 authenticated clients per-port.
• Port-Based access control option allowing authentication by a single client to open the
port. This option does not force a client limit and, on a port opened by an authenticated
client, allows unlimited client access without requiring further authentication.
• Supplicant implementation using CHAP authentication and independent user credentials
on each port.
• The local operator password configured with the password command for management access
to the switch is no longer accepted as an 802.1X authenticator credential. The password
port-access command configures the local operator username and password used as
802.1X authentication credentials for access to the switch. The values configured can be
stored in a configuration file using the include-credentials command.
• On-demand change of a port's configured VLAN membership status to support the current
client session.
• Session accounting with a RADIUS server, including the accounting update interval.
• Use of Show commands to display session counters.
• Support for concurrent use of 802.1X and either Web authentication or MAC authentication
on the same port.
• For unauthenticated clients that do not have the necessary 802.1X supplicant software (or for
other reasons related to unauthenticated clients), there is the option to configure an
Unauthorized-Client VLAN. This mode allows you to assign unauthenticated clients to an
isolated VLAN through which you can provide the necessary supplicant software and/or other
services you want to extend to these clients.
User authentication methods
The switch offers two methods for using 802.1X access control. Generally, the "Port Based" method
supports one 802.1X-authenticated client on a port, which opens the port to an unlimited number
of clients. The "User-Based" method supports up to 32 802.1X-authenticated clients on a port. In
both cases, there are operating details to be aware of that can influence your choice of methods.
Overview 337