KB.15.15

ManualsBrandsHP ManualsNetwork HardwareHP 5406R-8XGT/8SFP+ (No PSU) v2 zl2 Switch

451

452

453

454

455

456

457

458

459

460

configured on the port, provided the client is configured to use the available, tagged VLAN

memberships.

• If the first client authenticates and opens the port, and then one or more other clients connect

without trying to authenticate, then the port configuration as determined by the original RADIUS

response remains unchanged and all such clients will have the same access as the authenticated

client. When the authenticated client closes the session, the port will also be closed to any

other, unauthenticated clients that may have also been using the port.

This operation unblocks the port while an authenticated client session is in progress. In topologies

where simultaneous, multiple client access is possible this can allow unauthorized and

unauthenticated access by another client while an authenticated client is using the port. If you want

to allow only authenticated clients on the port, then user-based access control (page 13-3) should

be used instead of port-based access control. Using the user-based method enables you to specify

up to 32 authenticated clients.

NOTE: Port-Based 802.1X can operate concurrently with Web-Authentication or

MAC-Authentication on the same port. However, this is not a commonly used application and is

not generally recommended. For more information, see “Operating Notes” (page 495).

Alternative To Using a RADIUS Server

Note that you can also configure 802.1X for authentication through the switch’s local username

and password instead of a RADIUS server, but doing so increases the administrative burden,

decentralizes user credential administration, and reduces security by limiting authentication to one

Operator password set for all users.

Accounting

The switches covered in this guide also provide RADIUS Network accounting for 802.1X access.

See “Radius-administered CoS and rate-limiting” (page 194).

General Setup Procedure for 802.1X Access Control

Do These Steps Before You Configure 802.1X Operation

1. Configure a local username and password on the switch for both the Operator (login) and

Manager (enable) access levels. (While this may or may not be required for your 802.1X

configuration, HP recommends that you use a local username and password pair at least until

your other security measures are in place.)

2. Enable include-credentials. The port-access option is available only if include-credentials is

enabled. See “Security settings that can be saved” (page 46).

For switches covered in this guide, the local operator password configured with the password

command is not accepted as an 802.1X authenticator credential. The port-access command

is used to configure the operator username and password that are used as 802.1X credentials

for network access to the switch. 802.1X network access is not allowed unless a password

has been configured using the password port-access command.

Syntax

password port-access [user-name <name>]<password>

Configures the operator username and password used to access the network through

802.1X authentication.

user-name <name>

Operator username (text string) used only for local authentication of 802.1X

clients. This value is different from the local operator username configured with

the password command for management access.

456 Port-Based and User-Based Access Control (802.1X)