Manualshelf

R0106-HP MSR Router Series Security Configuration Guide(V7)

ManualsBrandsHP ManualsNetwork HardwareHP MSR4060 Router Chassis
81828384858687888990
76
Configuring 802.1X
This chapter describes how to configure 802.1X on an HP device. You can also configure the port security
feature to perform 802.1X. Port security combines and extends 802.1X and MAC authentication. It
applies to a network, a WLAN, for example, that requires different authentication methods for different
users on a port. For more information about the port security feature, see "Configuring port security."
In this chapter, "MSR2000" refers to MSR2003. "MSR3000" collectively refers to MSR3012, MSR3024,
MSR3044, MSR3064. "MSR4000" collectively refers to MSR4060 and MSR4080.
Feature and hardware compatibility
802.1X is available only on the following ports:
The ports of the HMIM-24GSW/24GSWP and HMIM-8GSW Layer 2 switching modules installed on
MSR routers.
Access control methods
HP implements port-based access control as defined in the 802.1X protocol, and extends the protocol to
support MAC-based access control.
Port-based access control—Once an 802.1X user passes authentication on a port, any subsequent
user can access the network through the port without authentication. When the authenticated user
logs off, all other users are logged off.
MAC-based access control—Each user is separately authenticated on a port. When a user logs off,
no other online users are affected.
802.1X VLAN manipulation
Authorization VLAN
You can specify authorization VLANs for an 802.1X user to control access to authorized network
resources. When the 802.1X user passes authentication, the authentication server assigns the
authorization VLANs or VLAN group to the users.
Supported VLAN types and forms
Which VLAN types and forms are supported depends on the authorization type.
Local VLAN authorization.
You can specify only one authorization VLAN by its ID in user view or user group view on the
access device. For more information about local user configuration, see "Configuring AAA."
Remote VLAN authorization.
You can specify a VLAN or a group of VLANs on the AAA server for 802.1X users. The access
device supports VLANs of the following formats:
{ VLAN ID.