ProLiant BL p-Class GbE2 Interconnect Switch Application Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProLiant BL p-Class C-GbE2 Interconnect Switch

Port-based Network Access and traffic control 42

If a client that does not support 802.1x connects to an 802.1x-controlled port, the switch authenticator requests

the client's identity when it detects a change in the operational state of the port. The client does not respond to

the request, and the port remains in the unauthorized state.

NOTE: When an 802.1x-enabled client connects to a port that is not 802.1x-controlled, the client initiates the

authentication process by sending an EAPOL-Start frame. When no response is received, the client retransmits

the request for a fixed number of times. If no response is received, the client assumes the port is in authorized

state, and begins sending frames, even if the port is unauthorized.

802.1x port states

The state of the port determines whether the client is granted access to the network, as follows:

• Unauthorized—While in this state, the port discards all ingress and egress traffic except EAP packets.

• Authorized—When the client is authenticated successfully, the port transitions to the authorized state

allowing all traffic to and from the client to flow normally.

• Force Unauthorized—You can configure this state that denies all access to the port.

• Force Authorized—You can configure this state that allows full access to the port.

Use the 802.1x Global Configuration Menu (/cfg/l2/8021x/global) to configure 802.1x authentication for

all ports in the switch. Use the 802.1x Port Menu (/cfg/l2/8021x/port x) to configure a single port.

Supported RADIUS attributes

The GbE2 802.1x Authenticator relies on external RADIUS servers for authentication with EAP. The following

table lists the RADIUS attributes that are supported as part of RADIUS-EAP authentication based on the guidelines

specified in Annex D of the 802.1x standard and RFC 3580.

Legend:

RADIUS Packet Types:

• A-R (Access-Request)

• A-A (Access-Accept)

• A-C (Access-Challenge)

• A-R (Access-Reject)

RADIUS Attribute Support:

• 0—This attribute MUST NOT be present in a packet.

• 0+—Zero or more instances of this attribute MAY be present in a packet.

• 0-1—Zero or one instance of this attribute MAY be present in a packet.

• 1—Exactly one instance of this attribute MUST be present in a packet.

• 1+—One or more of these attributes MUST be present.

Table 8 EAP support for RADIUS attributes

# Attribute Attribute Value A-R A-A A-C A-R

1 User-Name The value of the Type-Data field from the

supplicant’s EAP-Response/Identity

message. If the Identity is unknown (i.e.

Type-Data field is zero bytes in length), this

attribute will have the same value as the

Calling-Station-Id.

1 0-1 0 0

4 NAS-IP-Address IP address of the authenticator used for

RADIUS communication.

1 0 0 0

5 NAS-Port Port number of the authenticator port to

which the supplicant is attached.

1 0 0 0

24 State Server-specific value. This is sent

unmodified back to the server in an

Access-Request that is in response to an

Access-Challenge.

0-1 0-1 0-1 0

30 Called-Station-ID The MAC address of the authenticator

encoded as an ASCII string in canonical

format, e.g. 000D5622E3 9F.

1 0 0 0