KB.15.15

ManualsBrandsHP ManualsNetwork HardwareHP 5406R-8XGT/8SFP+ (No PSU) v2 zl2 Switch

491

492

493

494

495

496

497

498

499

500

Operating Notes

• Using the aaa port-access controlled-direction in command, you can enable the transmission

of Wake-on-LAN traffic on unauthenticated egress ports that are configured for any of the

following port-based security features

◦ 802.1X authentication

◦ MAC authentication

◦ Web authentication

Because a port can be configured for more than one type of authentication to protect the

switch from unauthorized access, the last setting you configure with the aaa port-access

controlled-direction command is applied to all authentication methods configured on the switch.

See “Web-based and MAC authentication” (page 72).

• To display the currently configured 802.1X Controlled Direction value, enter the show

port-access authenticator config command.

• When an 802.1X-authenticated port is configured with the controlled direction in setting,

eavesdrop prevention is not supported on the port.

Example

The following example shows how to enable the transmission of Wake-on- LAN traffic in the egress

direction on an 802.1X-aware port before it transitions to the 802.1X authenticated state and

successfully authenticates a client device.

HP Switch(config)# aaa port-access authenticator a10

HP Switch(config)# aaa authentication port-access eap-radius

HP Switch(config)# aaa port-access authenticator active

HP Switch(config)# aaa port-access a10 controlled-direction in

Unauthenticated VLAN Access (Guest VLAN Access)

When a PC is connected through an IP phone to a switch port that has been authorized using

802.1X or Web/MAC authentication, the IP phone is authenticated using client-based 802.1X or

Web/MAC authentication and has access to secure, tagged VLANs on the port. If the PC is

unauthenticated, it needs to have access to the insecure guest VLAN (unauthenticated VLAN) that

has been configured for 802.1X or Web/MAC authentication. 802.1X and Web/MAC

authentication normally do not allow authenticated clients (the phone) and unauthenticated clients

(the PC) on the same port (unless MAC-based VLANs are enabled. See “MAC-based VLANs”

(page 197)).

Mixed port access mode allows 802.1X and Web/MAC authenticated and unauthenticated clients

on the same port when the guest VLAN is the same as the port’s current untagged authenticated

VLAN for authenticated clients, or when none of the authenticated clients are authorized on the

untagged authenticated VLAN. Instead of having just one client per port, multiple clients can use

the guest VLAN.

Authenticated clients always have precedence over guests (unauthenticated clients) if access to a

client’s untagged VLAN requires removal of a guest VLAN from the port. If an authenticated client

becomes authorized on its untagged VLAN as the result of initial authentication or because of an

untagged packet from the client, then all 802.1X or Web/MAC authenticated guests are removed

from the port and the port becomes an untagged member of the client’s untagged VLAN.

Characteristics of Mixed Port Access Mode

• The port keeps tagged VLAN assignments continuously.

• The port sends broadcast traffic from the VLANs even when there are only guests authorized

on the port.

Overview 495