KB.15.15

ManualsBrandsHP ManualsNetwork HardwareHP 5412R zl2 Switch

461

462

463

464

465

466

467

468

469

470

Before you configure the 802.1X Open VLAN mode on a port:

• Statically configure an “Unauthorized-Client VLAN” in the switch. The only ports that should

belong to this VLAN are ports offering services and access you want available to

unauthenticated clients. (802.1X authenticator ports do not have to be members of this VLAN.)

CAUTION: Do not allow any port memberships or network services on this VLAN that would

pose a security risk if exposed to an unauthorized client.

• Statically configure an Authorized-Client VLAN in the switch. The only ports that should belong

to this VLAN are ports offering services and access you want available to authenticated clients.

802.1X authenticator ports do not have to be members of this VLAN.

Note that if an 802.1X authenticator port is an untagged member of another VLAN, the port’s

access to that other VLAN will be temporarily removed while an authenticated client is

connected to the port.

For example, if:

1. Port A5 is an untagged member of VLAN 1 (the default VLAN).

2. You configure port A5 as an 802.1X authenticator port.

3. You configure port A5 to use an Authorized-Client VLAN.

Then, if a client connects to port A5 and is authenticated, port A5 becomes an untagged

member of the Authorized-Client VLAN and is temporarily suspended from membership in the

default VLAN

• If you expect friendly clients to connect without having 802.1X supplicant software running,

provide a server on the Unauthorized-Client VLAN for downloading 802.1X supplicant software

to the client, and a procedure by which the client initiates the download.

• A client must either have a valid IP address configured before connecting to the switch, or

download one through the Unauthorized-Client VLAN from a DHCP server. In the latter case,

you will need to provide DHCP services on the Unauthorized-Client VLAN.

• Ensure that the switch is connected to a RADIUS server configured to support authentication

requests from clients using ports configured as 802.1X authenticators. (The RADIUS server

should not be on the Unauthorized- Client VLAN.)

CAUTION: Ensure that you do not introduce a security risk by allowing Unauthorized- Client

VLAN access to network services or resources that could be compromised by an unauthorized

client.

NOTE: As an alternative, you can configure the switch to use local password authentication

instead of RADIUS authentication. However, this is less desirable because it means that all

clients use the same passwords and have the same access privileges. Also, you must use

802.1X supplicant software that supports the use of local switch passwords.

Configuring General 802.1X Operation

These steps enable 802.1X authentication, and must be done before configuring 802.1X VLAN

operation.

Configuring Port-Based Access 465