Manualshelf

Access Security Guide K/KA/KB.15.15

ManualsBrandsHP ManualsNetwork HardwareHP 5406R-8XGT/8SFP+ (No PSU) v2 zl2 Switch
471472473474475476477478479480
authenticate clients, you can provide port-level security protection from unauthorized network access
for the following authentication methods:
802.1X: Port-based or client-based access control to open a port for client access after
authenticating valid user credentials.
MAC address: Authenticates a device’s MAC address to grant access to the network
WebAgent: Authenticates clients for network access using a web page for user login.
NOTE: You can use 802.1X (port-based or client-based) authentication and either Web or MAC
authentication at the same time on a port, with a maximum of 32 clients allowed on the port. (The
default is one client.) Web authentication and MAC authentication are mutually exclusive on the
same port. Also, you must disable LACP on ports configured for any of these authentication methods.
For more information, see “Web and MAC Authentication” on page 4-1 in this guide.
VLAN Assignment on a Port
Following client authentication, VLAN configurations on a port are managed as follows when you
use 802.1X, MAC, or Web authentication:
The port resumes membership in any tagged VLANs for which it is already assigned in the
switch configuration. Tagged VLAN membership allows a port to be a member of multiple
VLANs simultaneously.
The port is temporarily assigned as a member of an untagged (static or dynamic) VLAN for
use during the client session according to the following order of options.
1. The port joins the VLAN to which it has been assigned by a RADIUS server during client
authentication.
2. If RADIUS authentication does not include assigning the port to a VLAN, then the switch
assigns the port to the authorized-client VLAN configured for the authentication method.
3. If the port does not have an authorized-client VLAN configured, but is configured for
membership in an untagged VLAN, the switch assigns the port to this untagged VLAN.
Example of Untagged VLAN Assignment in a RADIUSBased Authentication Session
The following example shows how an untagged static VLAN is temporarily assigned to a port for
use during an 802.1X authentication session. In the example, an 802.1X-aware client on port A2
has been authenticated by a RADIUS server for access to VLAN 22. However, port A2 is not
configured as a member of VLAN 22 but as a member of untagged VLAN 33 as shown in
Figure 342 (page 476).
For example, suppose that a RADIUS-authenticated, 802.1X-aware client on port A2 requires
access to VLAN 22, but VLAN 22 is configured for no access on port A2, and VLAN 33 is
configured as untagged on port A2:
Configuring Port-Based Access 475