KB.15.15

ManualsBrandsHP ManualsNetwork HardwareHP 5406R-8XGT/8SFP+ (No PSU) v2 zl2 Switch

481

482

483

484

485

486

487

488

489

490

NOTE:

1. If a port is assigned as a member of an untagged dynamic VLAN, the dynamic

VLAN configuration must exist at the time of authentication and GVRP for

port-access authentication must be enabled on the switch. If the dynamic VLAN

does not exist or if you have not enabled the use of a dynamic VLAN for

authentication sessions on the switch, the authentication fails.

2. After you enable dynamic VLAN assignment in an authentication session, it is

recommended that you use the interface unknown-vlans command on a per-port

basis to prevent denial-of-service attacks. The interface unknown-vlans command

allows you to:

• Disable the port from sending advertisements of existing GVRP-created

VLANs on the switch.

• Drop all GVRP advertisements received on the port. See “GVRP” in the

Advanced Traffic Management Guide.

3. If you disable the use of dynamic VLANs in an authentication session using the

no aaa port-access gvrp-vlans command, client sessions that were authenticated

with a dynamic VLAN continue and are not deauthenticated. (This behavior

differs form how static VLAN assignment is handled in an authentication session.

If you remove the configuration of the static VLAN used to create a temporary

client session, the 802.1X, MAC, or Web authenticated client is

deauthenticated.) However, if a RADIUS-configured dynamic VLAN used for

an authentication session is deleted from the switch through normal GVRP

operation (for example, if no GVRP advertisements for the VLAN are received

on any switch port), authenticated clients using this VLAN are deauthenticated.

Any port VLAN-ID changes you make on 802.1X-aware ports during an 802.1Xauthenticated

session do not take effect until the session ends. With GVRP enabled, a temporary, untagged static

VLAN assignment created on a port by 802.1X authentication is advertised as an existing VLAN.

If this temporary VLAN assignment causes the switch to disable a configured (untagged) static

VLAN assignment on the port, then the disabled VLAN assignment is not advertised. When the

802.1X session ends, the switch:

• Eliminates and ceases to advertise the temporary VLAN assignment.

• Re-activates and resumes advertising the temporarily disabled VLAN assignment

Overview

General Features

802.1X on the switches covered in this guide includes the following:

• Switch operation as both an authenticator (for supplicants having a pointto- point connection

to the switch) and as a supplicant for point-to-point connections to other 802.1X-aware switches.

◦ Authentication of 802.1X access using a RADIUS server and either the EAP or CHAP

protocol.

◦ Provision for enabling clients that do not have 802.1 supplicant software to use the switch

as a path for downloading the software and initiating the authentication process (802.1X

Open VLAN mode).

◦ User-Based access control option with support for up to 32 authenticated clients per-port.

Overview 485