Manualshelf

ProCurve Series 2300 and 2500 Switches Release Notes

ManualsBrandsHP ManualsServerHP NonStop G-Series
31323334353637383940
22
Enhancements in Release F.05.xx
Configuring Port-Based Access Control (802.1x)
How 802.1x Operates
Authenticator Operation
This operation provides security on a direct, point-to-point link between a single client and the switch,
where both devices are 802.1x-aware. (If you expect desirable clients that do not have the necessary
802.1x supplicant software, you can provide a path for downloading such software by using the 802.1x
Open VLAN mode—refer to “802.1x Open VLAN Mode” on page -34.) For example, suppose that you
have configured a port on the switch for 802.1x authentication operation. If you then connect an
802.1x-aware client (supplicant) to the port and attempt to log on:
1. When the switch detects the client on the port, it blocks access to the LAN from that port.
2. The switch responds with an identity request.
3. The client responds with a user name that uniquely defines this request for the client.
4. The switch responds in one of the following ways:
If 802.1x (port-access) on the switch is configured for RADIUS authentication, the switch
then forwards the request to a RADIUS server.
i. The server responds with an access challenge which the switch forwards to the client.
ii. The client then provides identifying credentials (such as a user certificate), which the
switch forwards to the RADIUS server.
iii. The RADIUS server then checks the credentials provided by the client.
iv. If the client is successfully authenticated and authorized to connect to the network,
then the server notifies the switch to allow access to the client. Otherwise, access is
denied and the port remains blocked.
If 802.1x (port-access) on the switch is configured for local authentication, then:
i. The switch compares the client’s credentials with the username and password config-
ured in the switch (Operator or Manager level).
ii. If the client is successfully authenticated and authorized to connect to the network,
then the switch allows access to the client. Otherwise, access is denied and the port
remains blocked.
Switch-Port Supplicant Operation
This operation provides security on links between 802.1x-aware switches. For example, suppose that
you want to connect two switches, where:
Switch “A” has port 1 configured for 802.1x supplicant operation.
You want to connect port 1 on switch “A” to port 5 on switch “B”.