Manualshelf

Access Security Guide K/KA/KB.15.15

ManualsBrandsHP ManualsNetwork HardwareHP 5406R-8XGT/8SFP+ (No PSU) v2 zl2 Switch
481482483484485486487488489490
3. The switch responds in one of the following ways:
a. If 802.1X on the switch is configured for RADIUS authentication, the switch then forwards
the request to a RADIUS server.
i. The server responds with an access challenge which the switch forwards to the client.
ii. The client then provides identifying credentials (such as a user certificate), which the
switch forwards to the RADIUS server.
iii. The RADIUS server then checks the credentials provided by the client. iv. If the client
is successfully authenticated and authorized to connect to the network, then the server
notifies the switch to allow access to the client. Otherwise, access is denied and the
port remains blocked.
b. If 802.1X on the switch is configured for local authentication, then
i. The switch compares the client’s credentials to the username and password configured
in the switch (Operator level).
ii. If the client is successfully authenticated and authorized to connect to the network,
then the switch allows access to the client. Otherwise, access is denied and the port
remains blocked for that client.
NOTE: The switches covered in this guide can use either 802.1X port-based authentication
or 802.1X user-based authentication. See “User Authentication Methods” (page 455).
VLAN Membership Priorities
Following client authentication, an 802.1X port resumes membership in any tagged VLANs for
which it is already assigned in the switch configuration. The port also becomes an untagged
member of one VLAN according to the following order of options:
1. 1st Priority: The port joins a VLAN to which it has been assigned by a RADIUS server during
client authentication.
2. 2nd Priority: If RADIUS authentication does not include assigning the port to a VLAN, then the
switch assigns the port to the VLAN entered in the port’s 802.1X configuration as an
Authorized-Client VLAN, if configured
3. 3rd Priority: If the port does not have an Authorized-Client VLAN configured, but does have
a static, untagged VLAN membership in its configuration, then the switch assigns the port to
this VLAN.
A port assigned to a VLAN by an Authorized-Client VLAN configuration (or a RADIUS server) will
be an untagged member of the VLAN for the duration of the authenticated session. This applies
even if the port is also configured in the switch as a tagged member of the same VLAN.
Configuring Port-Based Access 481