ProCurve Series 2300 and 2500 Switches Release Notes
27
Enhancements in Release F.05.xx
Configuring Port-Based Access Control (802.1x)
3. Determine whether to use the optional 802.1x Open VLAN mode for clients that are not 802.1x-
aware; that is, for clients that are not running 802.1x supplicant software. (This will require you
to provide downloadable software that the client can use to enable an authentication session.)
For more on this topic, refer to “802.1x Open VLAN Mode” on page -34.
4. For each port you want to operate as a supplicant, determine a username and password pair.
You can either use the same pair for each port or use unique pairs for individual ports or
subgroups of ports. (This can also be the same local username/password pair that you assign
to the switch.)
5. Unless you are using only the switch’s local username and password for 802.1x authentication,
configure at least one RADIUS server to authenticate access requests coming through the ports
on the switch from external supplicants (including switch ports operating as 802.1x suppli-
cants). You can use up to three RADIUS servers for authentication; one primary and two
backups. Refer to the documentation provided with your RADIUS application.
Overview: Configuring 802.1x Authentication on the Switch
This section outlines the steps for configuring 802.1x on the switch. For detailed information on each
step, refer to “Configuring RADIUS Authentication and Accounting” on page -97 or “Configuring
Switch Ports To Operate As Supplicants for 802.1x Connections to Other Switches” on page -47.
1. Enable 802.1x authentication on the individual ports you want to serve as authenticators. On
the ports you will use as authenticators, either accept the default 802.1x settings or change them,
as necessary. Note that, by default, the port-control parameter is set to auto for all ports on the
switch. This requires a client to support 802.1x authentication and to provide valid credentials
to get network access. Refer to page -29.
2. If you want to provide a path for clients without 802.1x supplicant software to download the
software so that they can initiate an authentication session, enable the 802.1x Open VLAN mode
on the ports you want to support this feature. Refer to page 34.
3. Configure the 802.1x authentication type. Options include:
• Local Operator username and password (the default). This option allows a client to use
the switch’s local username and password as valid 802.1x credentials for network access.
• EAP RADIUS: This option requires your RADIUS server application to support EAP
authentication for 802.1x.
• CHAP (MD5) RADIUS: This option requires your RADIUS server application to support
CHAP (MD5) authentication.
See page -32.
4. If you select either eap-radius or chap-radius for step 3, use the radius host command to configure
up to three RADIUS server IP address(es) on the switch. See page -33.
5. Enable 802.1x authentication on the switch. See page 29.