R2511-HP MSR Router Series Security Configuration Guide(V5)

ManualsBrandsHP ManualsNetwork HardwareHP MSR1003-8 AC Router

141

142

143

144

145

146

147

148

149

150

129

This mode is similar to the userLoginSecure mode. The difference is that a port in this mode also

permits frames from one user whose MAC address contains a specific OUI.

{ For wired users, the port performs 802.1X authentication upon receiving 802.1X frames, and

performs OUI check upon receiving non-802.1X frames.

{ For wireless users, the port performs OUI check at first. If the OUI check fails, the port performs

802.1X authentication.

NOTE:

n OUI is a 24-bit number that uniquely identifies a vendor, manufacturer, or organization. In MAC

addresses, the first three octets are the OUI.

Performing MAC authentication

macAddressWithRadius: A port in this mode performs MAC authentication and services multiple users.

Performing a combination of MAC authentication and 802.1X authentication

• macAddressOrUserLoginSecure

This mode is the combination of the macAddressWithRadius and userLoginSecure modes.

{ For wired users, the port performs MAC authentication 30 seconds after receiving non-802.1X

frames and performs 802.1X authentication upon receiving 802.1X frames.

{ For wireless users, the port performs 802.1X authentication first. If 802.1X authentication fails,

MAC authentication is performed.

• macAddressOrUserLoginSecureExt

This mode is similar to the macAddressOrUserLoginSecure mode except that this mode supports

multiple 802.1X and MAC authentication users.

• macAddressElseUserLoginSecure

This mode is the combination of the macAddressWithRadius and userLoginSecure modes, with

MAC authentication having a higher priority as the Else keyword implies.

{ For wired users, the port performs MAC authentication 30 seconds after receiving non-802.1X

frames.

{ For wireless users, the port performs MAC authentication upon receiving non-802.1X frames.

Upon receiving 802.1X frames, the port performs MAC authentication, and if the MAC

authentication fails, it performs 802.1X authentication.

• macAddressElseUserLoginSecureExt

This mode is similar to the macAddressElseUserLoginSecure mode except that this mode supports

multiple 802.1X and MAC authentication users as the keyword Ext implies.

Support for WLAN

CAUTION:

Do not confi

ure static MAC address entries for wireless users that use the 802.1X or MAC authentication

service. If the source MAC address and the VLAN of a wireless user match a static MAC address entry in

the MAC address table, the user cannot pass 802.1X authentication or MAC authentication.

Table 9 describes the port security modes that apply only to WLAN ports. These port security modes

implements wireless access security at the link layer.