KB.15.15

ManualsBrandsHP ManualsNetwork HardwareHP 5406R-8XGT/8SFP+ (No PSU) v2 zl2 Switch

331

332

333

334

335

336

337

338

339

340

Accounting

The switches covered in this guide also provide RADIUS Network accounting for 802.1X access.

See “RADIUS Authentication, Authorization, and Accounting” (page 141).

General 802.1X authenticator operation

This operation provides security on a point-to-point link between a client and the switch, where

both devices are 802.1X-aware. If you expect desirable clients that do not have the necessary

802.1X supplicant software, you can provide a path for downloading such software by using the

802.1X Open VLAN mode, see “802.1X Open VLAN mode” (page 342).

Example 13 Example of the authentication process

Suppose you have configured a port on the switch for 802.1X authentication operation, which

blocks access to the LAN through that port. If you then connect an 802.1X-aware client (supplicant)

to the port and attempt to log on:

1. The switch responds with an identity request.

2. The client responds with a user name that uniquely defines this request for the

client.

3. The switch responds in one of the following ways:

• If 802.1X on the switch is configured for RADIUS authentication, the switch

then forwards the request to a RADIUS server.

1. The server responds with an access challenge which the switch

forwards to the client.

2. The client then provides identifying credentials (such as a user

certificate), which the switch forwards to the RADIUS server.

3. The RADIUS server then checks the credentials provided by the client.

4. If the client is successfully authenticated and authorized to connect to

the network, then the server notifies the switch to allow access to the

client. Otherwise, access is denied and the port remains blocked.

• If 802.1X on the switch is configured for local authentication, then:

1. The switch compares the client's credentials to the username and

password configured in the switch (Operator level).

2. If the client is successfully authenticated and authorized to connect to

the network, then the switch allows access to the client. Otherwise,

access is denied and the port remains blocked for that client.

NOTE: HP switches use either 802.1X port-based authentication or

802.1X user-based authentication. For more information, see “User

authentication methods” (page 337).

VLAN membership priority

Following client authentication, an 802.1X port resumes membership in any tagged VLANs for

which it is already assigned in the switch configuration. The port also becomes an untagged

member of one VLAN according to the following order of options:

1. 1st Priority: The port joins a VLAN to which it has been assigned by a RADIUS server during

client authentication.

2. 2nd Priority: If RADIUS authentication does not include assigning the port to a VLAN, then the

switch assigns the port to the VLAN entered in the port's 802.1X configuration as an

Authorized-Client VLAN, if configured.

Overview 339