Manualshelf

IPv6 Configuration Guide K/KA/KB.15.15

ManualsBrandsHP ManualsNetwork HardwareHP 5406R-8XGT/8SFP+ (No PSU) v2 zl2 Switch
919293949596979899100
RADIUS authentication response for that client includes a RADIUS-assigned ACL. Clients
authenticating without receiving a RADIUS-assigned ACL are immediately de-authenticated. For
example, in Figure 5 (page 96), clients A through D authenticate through the same port (B1) on
an HP switch running software release K.14.01 or greater.
Figure 5 Example of Multiple Clients Authenticating Through a Single Port
Unmanaged
Switch
RADIUS
Server
Client D
Client C
HP Switch
Running K.14.01 or
Greater
Client A
Client B
LAN
Port B1
In this case, the RADIUS server must be configured to assign an ACL to port B1 for any of the
authorized clients authenticating on the port.
802.1X user-based and port-based applications
User-Based 802.1X access control allows up to 32 individually authenticated clients on a given
port. Port-Based access control does not set a client limit and requires only one authenticated client
to open a given port (and is recommended for applications where only one client at a time can
connect to the port).
If you configure 802.1X user-based security on a port and the RADIUS response includes a
RADIUS-assigned ACL for at least one authenticated client, the RADIUS response for all other
clients authenticated on the ports must also include a RADIUS-assigned ACL. Inbound IP traffic
on the port from a client that authenticates without receiving a RADIUS-assigned ACL is dropped
and the client de-authenticated.
Using 802.1X port-based security on a port where the RADIUS response to a client
authenticating includes a RADIUS-assigned ACL, different results can occur, depending on
whether any additional clients attempt to use the port and whether these other clients initiate
an authentication attempt. This option is recommended for applications where only one client
at a time can connect to the port, and not recommendedfor instances where multiple clients
may access the same port at the same time. For more information, see "802.1X Port-Based
Access Control" in the chapter titled "Configuring Port-Based and User-Based Access Control
(802.1X)" in the latest Access Security Guide for your switch.
Operating notes for IPv6 applications
For RADIUS ACL applications using software release K.14.01 or greater, the switch operates
in a dual-stack mode, and a RADIUS-assigned ACL filters both IPv4 and IPv6 traffic. At a
minimum, a RADIUS-assigned ACL automatically includes the implicit deny for both IPv4 and
IPv6 traffic. Thus, an ACL configured on a RADIUS server to filter IPv4 traffic also denies
inbound IPv6 traffic from an authenticated client unless the ACL includes ACEs that permit the
desired IPv6 traffic. The reverse is true for a dynamic ACL configured on RADIUS server to
filter IPv6 traffic. (ACLs are based on the MAC address of the authenticating client.) See
96 IPv6 Access Control Lists (ACLs)