BLADE OS™ Application Guide HP GbE2c Ethernet Blade Switch for c-Class BladeSystem Version 5.1 Advanced Functionality Software
Table Of Contents
- Contents
- Figures
- Tables
- Preface
- Part 1: Basic Switching
- Accessing the Switch
- The Management Network
- Local Management Using the Console Port
- The Command Line Interface
- Remote Management Access
- Client IP Address Agents
- Securing Access to the Switch
- Setting Allowable Source IP Address Ranges
- RADIUS Authentication and Authorization
- TACACS+ Authentication
- LDAP Authentication and Authorization
- Secure Shell and Secure Copy
- Configuring SSH/SCP Features on the Switch
- Configuring the SCP Administrator Password
- Using SSH and SCP Client Commands
- SSH and SCP Encryption of Management Messages
- Generating RSA Host and Server Keys for SSH Access
- SSH/SCP Integration with Radius Authentication
- SSH/SCP Integration with TACACS+ Authentication
- End User Access Control
- Ports and Trunking
- Port-Based Network Access Control
- VLANs
- Spanning Tree Protocol
- RSTP and MSTP
- Link Layer Discovery Protocol
- Quality of Service
- Accessing the Switch
- Part 2: IP Routing
- Basic IP Routing
- Routing Information Protocol
- IGMP
- OSPF
- OSPF Overview
- OSPF Implementation in BLADE OS
- OSPF Configuration Examples
- Remote Monitoring
- Part 3: High Availability Fundamentals
- High Availability
- Layer 2 Failover
- Server Link Failure Detection
- VRRP Overview
- Failover Methods
- BLADE OS Extensions to VRRP
- Virtual Router Deployment Considerations
- High Availability Configurations
- High Availability
- Part 4: Appendices
- Index
BLADE OS 5.1 Application Guide
84 Chapter 3: Port-Based Network Access Control BMD00113, September 2009
EAPoL Configuration Guidelines
When configuring EAPoL, consider the following guidelines:
The 802.1X port-based authentication is currently supported only in point-to-point
configurations, that is, with a single supplicant connected to an 802.1X-enabled switch port.
When 802.1X is enabled, a port has to be in the authorized state before any other Layer 2
feature can be operationally enabled. For example, the STG state of a port is operationally
disabled while the port is in the unauthorized state.
The 802.1X supplicant capability is not supported. Therefore, none of its ports can successfully
connect to an 802.1X-enabled port of another device, such as another switch, that acts as an
authenticator, unless access control on the remote port is disabled or is configured in
forced-authorized mode. For example, if a GbE2c is connected to another GbE2c, and if
802.1X is enabled on both switches, the two connected ports must be configured in
force-authorized mode.
The 802.1X standard has optional provisions for supporting dynamic virtual LAN assignment
via RADIUS tunnelling attributes, for example, Tunnel-Type (=VLAN),
Tunnel-Medium-Type (=802), and Tunnel-Private-Group-ID (=VLAN id). These attributes are
not supported and might affect 802.1X operations. Other unsupported attributes include
Service-Type, Session-Timeout, and Termination-Action.
RADIUS accounting service for 802.1X-authenticated devices or users is not supported.
Configuration changes performed using SNMP and the standard 802.1X MIB will take effect
immediately.