ProCurve Series 2300 and 2500 Switches Release Notes

Enhancements in Release F.05.xx

Configuring Port-Based Access Control (802.1x)

Figure 8. Example of Supplicant Operation

1. When port 1 on switch “A” is first connected to a port on switch “B”, or if the ports are already

connected and either switch reboots, port 1 begins sending start packets to port 5 on switch “B”.

• If, after the supplicant port sends the configured number of start packets, it does not

receive a response, it assumes that switch “B” is not 802.1x-aware, and transitions to the

authenticated state. If switch “B” is operating properly and is not 802.1x-aware, then the

link should begin functioning normally, but without 802.1x security.

• If, after sending one or more start packets, port 1 receives a request packet from port 5,

then switch “B” is operating as an 802.1x authenticator. The supplicant port then sends

a response/ID packet. Switch “B” forwards this request to a RADIUS server.

2. The RADIUS server then responds with an MD5 access challenge that switch “B” forwards to

port 1 on switch “A”.

3. Port 1 replies with an MD5 hash response based on its username and password or other unique

credentials. Switch “B” forwards this response to the RADIUS server.

4. The RADIUS server then analyzes the response and sends either a “success” or “failure” packet

back through switch “B” to port 1.

• A “success” response unblocks port 5 to normal traffic from port 1.

• A “failure” response continues the block on port 5 and causes port 1 to wait for the “held-

time” period before trying again to achieve authentication through port 5.

Note

You can configure a switch port to operate as both a supplicant and an authenticator at the same time.

RADIUS Server

Switch “A”

Port 1 Configured as an

802.1x Supplicant

Port 1

Switch “B”

Port 5

LAN Core