KB.15.15

ManualsBrandsHP ManualsNetwork HardwareHP 5406R-8XGT/8SFP+ (No PSU) v2 zl2 Switch

481

482

483

484

485

486

487

488

489

490

◦ Port-Based access control option allowing authentication by a single client to open the

port. This option does not force a client limit and, on a port opened by an authenticated

client, allows unlimited client access without requiring further authentication.

◦ Supplicant implementation using CHAP authentication and independent user credentials

on each port.

• The local operator password configured with the password command for management access

to the switch is no longer accepted as an 802.1X authenticator credential. The password

port-access command configures the local operator username and password used as 802.1X

authentication credentials for access to the switch. The values configured can be stored in a

configuration file using the include-credentials command. For information about the password

port-access command, see “General Setup Procedure for 802.1X Access Control” (page 456).

• On-demand change of a port’s configured VLAN membership status to support the current

client session.

• Session accounting with a RADIUS server, including the accounting update interval.

• Use of Show commands to display session counters.

• Support for concurrent use of 802.1X and either Web authentication or MAC authentication

on the same port.

• For unauthenticated clients that do not have the necessary 802.1X supplicant software (or for

other reasons related to unauthenticated clients), there is the option to configure an

Unauthorized-Client VLAN. This mode allows you to assign unauthenticated clients to an

isolated VLAN through which you can provide the necessary supplicant software and/or other

services you want to extend to these clients.

Introduction

This section describes how to use the 802.1X Open VLAN mode to provide a path for clients that

need to acquire 802.1X supplicant software before proceeding with the authentication process.

The Open VLAN mode involves options for configuring unauthorized-client and authorized-client

VLANs on ports configured as 802.1X authenticators.

Configuring the 802.1X Open VLAN mode on a port changes how the port responds when it

detects a new client. In earlier releases, a “friendly” client computer not running 802.1X supplicant

software could not be authenticated on a port protected by 802.1X access security. As a result,

the port would become blocked and the client could not access the network. This prevented the

client from:

• Acquiring IP addressing from a DHCP server

• Downloading the 802.1X supplicant software necessary for an authentication session

The 802.1X Open VLAN mode solves this problem by temporarily suspending the port’s static

VLAN memberships and placing the port in a designated Unauthorized-Client VLAN (sometimes

termed a guest VLAN). In this state the client can proceed with initialization services, such as

acquiring IP addressing and 802.1X client software, and starting the authentication process.

486 Port-Based and User-Based Access Control (802.1X)