Manualshelf

R3303-HP HSR6800 Routers Security Configuration Guide

ManualsBrandsHP ManualsNetwork HardwareHP HSR68xx Configure-to-Order Router Solution
919293949596979899100
86
Authentication status VLAN manipulation
A user in the 802.1X guest VLAN or the Auth-Fail
VLAN fails authentication because all the
RADIUS server are unreachable.
The user remains in the 802.1X VLAN or the Auth-Fail
VLAN.
A user in the MAC authentication guest VLAN
fails 802.1X authentication because all the
802.1X authentication server are unreachable.
The user is removed from the MAC authentication VLAN
and mapped to the 802.1X critical VLAN.
To perform the 802.1X critical VLAN function on a port that performs MAC-based access control, you
must make sure that the port is a hybrid port, and enable MAC-based VLAN on the port.
The network device assigns a hybrid port to an 802.1X critical VLAN as an untagged member.
For more information about VLAN configuration and MAC-based VLAN, see Layer 2—LAN Switching
Configuration Guide.
Any of the following RADIUS authentication server changes in the ISP domain for 802.1X users on a port
can cause the users to be removed from the critical VLAN:
An authentication server is reconfigured, added, or removed.
The status of any RADIUS authentication server automatically changes to active or is
administratively set to active.
The RADIUS server probing function detects that a RADIUS authentication server is reachable and
sets its state to active.
You can use the dot1x critical recovery-action reinitialize command to configure the port to trigger
802.1X re-authentication when the port or an 802.1X user on the port is removed from the critical VLAN.
If MAC-based access control is used, the port sends a unicast Identity EAP/Request to the 802.1X
user to trigger authentication.
If port-based access control is used, the port sends a multicast Identity EAP/Request to the 802.1X
users to trigger authentication.
ACL assignment
You can specify an ACL for an 802.1X user to control its access to network resources. After the user
passes 802.1X authentication, the authentication server, either the local access device or a RADIUS
server, assigns the ACL to the port to filter the traffic from this user. In either case, you must configure the
ACL on the access device. You can change ACL rules while the user is online.
Configuration prerequisites
Configure an ISP domain and AAA scheme (local or RADIUS authentication) for 802.1X users.
If RADIUS authentication is used, create user accounts on the RADIUS server.
If local authentication is used, create local user accounts on the access device and set the service
type to lan-access.