Manualshelf

Access Security Guide K/KA/KB.15.15

ManualsBrandsHP ManualsNetwork HardwareHP 5406R-8XGT/8SFP+ (No PSU) v2 zl2 Switch
341342343344345346347348349350
If the only authenticated client on a port loses authentication during a session in 802.1X Open
VLAN mode, the port VLAN membership reverts back to the Unauthorized-Client VLAN. If
there is no Unauthorized-Client VLAN configured, then the client loses access to the port until
it can reauthenticate itself. If there are multiple clients authenticated on the port, if one client
loses access and attempts to re-authenticate, that client will be handled as a new client on the
port.
The first client to authenticate on a port configured to support multiple clients will determine
the port's VLAN membership for any subsequent clients that authenticate while an active
session is already in effect.
Port-security
NOTE: If 802.1X port-access is configured on a given port, then port-security learn-mode for
that port must be set to either continuous (the default) or port-access.
In addition to the above, to use port-security on an authenticator port use the per-port
client-limit option to control how many MAC addresses of 802.1X-authenticated devices
the port is allowed to learn.
NOTE: Using client-limit sets 802.1X to user-based operation on the specified ports. When
this limit is reached, no further devices can be authenticated until a currently authenticated device
disconnects and the current delay period or logoff period has expired.
Option for authenticator ports: configure port-security to allow only 802.1X-authenticated devices
If 802.1X authentication is disabled on a port or set to authorized (Force Authorize), the port
can allow access to a non-authenticated client. Port-Security operates with 802.1X authentication
only if the selected ports are configured as 802.1X with the control mode in the port-access
authenticator command set to auto (the default setting). For example, if port A10 was at a
non-default 802.1X setting and you wanted to configure it to support the port-security option, use
the following aaa port-access command:
Figure 252 Port-access support for port-security operation
Note on supplicant statistics
For each port configured as a supplicant, show port-access supplicant statistics < port-list > ]
displays the source MAC address and statistics for transactions with the authenticator device most
recently detected on the port. If the link between the supplicant port and the authenticator device
fails, the supplicant port continues to show data received from the connection to the most recent
authenticator device until one of the following occurs:
The supplicant port detects a different authenticator device.
You use the aaa port-access supplicant < port-list > clear-statistics command to clear the
statistics for the supplicant port.
The switch reboots.
350 IPv4 Access Control Lists (ACLs)