R2511-HP MSR Router Series Security Configuration Guide(V5)

ManualsBrandsHP ManualsNetwork HardwareHP MSR1003-8 AC Router

141

142

143

144

145

146

147

148

149

150

130

Table 9 Port security modes for WLAN ports

Security mode Description

Features that can be

tri

ered

presharedKey

A user must use a pre-configured static key, also called "the

pre-shared key (PSK)," to negotiate the session key with the

device and can access the network only after the

negotiation succeeds.

NTK/intrusion protection

macAddressAndP

resharedKey

A user must pass MAC authentication and then use the

pre-configured PSK to negotiate with the device. Only when

the negotiation succeeds, can the user access the network.

userLoginSecureE

xtOrPresharedKe

A user interacts with the device, choosing the

UserLoginSecure mode or using the PSK to negotiate with

the device.

PSK users refer to users that have passed authentication in presharedKey mode. The maximum number of

PSK users on a port varies with security modes.

• presharedKey mode—The maximum number of PSK users on the port is the port specification limit

on the number of wireless users or port security's limit on the number of MAC addresses, whichever

is smaller. The actual maximum number of PSK users on the port also depends on the total number

of PSK users that the system can support.

• macAddressAndPresharedKey mode—The maximum number of PSK users on the port is the MAC

authentication feature's limit on the number of concurrent users or port security's limit on the number

of MAC addresses, whichever is smaller. The actual maximum number of PSK users on the port also

depends on the total number of PSK users that the system can support.

• userLoginSecureExtOrPresharedKey mode—The number of PSK users on the port cannot exceed

the port limit on the number of wireless users, the number of 802.1X users cannot exceed the 802.1X

feature's limit on the number of concurrent users, and the total number of PSK and 802.1X users

cannot exceed port security's limit on the number of MAC addresses on the port. The maximum

number of PSK or 802.1X users also depends on the system specification.

Working with guest VLAN and Auth-Fail VLAN

An 802.1X guest VLAN is the VLAN that a user is in before initiating authentication.

An 802.1X Auth-Fail VLAN is the VLAN that a user is in after failing authentication.

You can use the 802.1X guest VLAN and 802.1X Auth-Fail VLAN features together with port security

modes that support 802.1X authentication. For more information about the 802.1X guest VLAN and

Auth-Fail VLAN on a port that performs MAC-based access control, see "Configuring 802.1X."

Configuration task list

Task Remarks

Enabling port security Required.

Setting port security's limit on the number of MAC addresses on a port Optional.

Setting the port security mode Required.