Use models for 802.1x open vlan modes, Use models for 802.1x open vlan modes -21 – HP 4100GL User Manual

Page 155

Advertising
background image

Configuring Port-Based Access Control (802.1x)

802.1x Open VLAN Mode

1st Priority:

The port joins a VLAN to which it has been assigned

by a RADIUS server during authentication.

2nd Priority:

If RADIUS authentication does not include assigning a

VLAN to the port, then the switch assigns the port to the VLAN entered
in the port’s 802.1x configuration as an Authorized-Client VLAN, if
configured.

3rd Priority:

If the port does not have an Authorized-Client VLAN

configured, but does have a static, untagged VLAN membership in its
configuration, then the switch assigns the port to this VLAN.

If the port is not configured for any of the above, then it must be a tagged
member of at least one VLAN. In this case, if the client is capable of operating
in a tagged VLAN, then it can access that VLAN. Otherwise, the connection
will fail.

C a u t i o n

If a port is a tagged member of a statically configured VLAN, 802.1x Open
VLAN mode does not prevent unauthenticated client access to such VLANs if
the client is capable of operating in a tagged VLAN environment. To avoid
possible security breaches, HP recommends that you not allow a tagged VLAN
membership on a port configured for 802.1x Open VLAN mode unless you use
the tagged VLAN as the Unauthorized-Client VLAN.

Use Models for 802.1x Open VLAN Modes

You can apply the 802.1x Open VLAN mode in more than one way. Depending
on your use, you will need to create one or two static VLANs on the switch for
exclusive

use by per-port 802.1x Open VLAN mode authentication:

Unauthorized-Client VLAN:

Configure this VLAN when unauthen

-

ticated, friendly clients will need access to some services before being
authenticated.

Authorized-Client VLAN:

Configure this VLAN for authenticated

clients when the port is not statically configured as an untagged
member of a VLAN you want clients to use, or when the port is
statically configured as an untagged member of a VLAN you do not
want clients to use. (A port can be configured as untagged on only
one VLAN. When an Authorized-Client VLAN is configured, it will
always be untagged and will block the port from using a statically
configured, untagged membership in another VLAN.)

6-21

Advertising
Popular Brands
Popular manuals