Mac-based authentication – HP 2600 Series User Manual

3-7

Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches

How Web and MAC Authentication Operate

moves have not been enabled (

client-moves) on the ports, the session ends and

the client must reauthenticate for network access. At the end of the session
the port returns to its pre-authentication state. Any changes to the port’s VLAN
memberships made while it is an authorized port take affect at the end of the
session.

A client may not be authenticated due to invalid credentials or a RADIUS
server timeout. The

max-retries parameter specifies how many times a client

may enter their credentials before authentication fails. The

server-timeout

parameter sets how long the switch waits to receive a response from the
RADIUS server before timing out. The

max-requests parameter specifies how

many authentication attempts may result in a RADIUS server timeout before
authentication fails. The switch waits a specified amount of time (

quiet-

period) before processing any new authentication requests from the client.

Network administrators may assign unauthenticated clients to a specific
static, untagged VLAN (

unauth-vid), to provide access to specific (guest)

network resources. If no VLAN is assigned to unauthenticated clients the port
is blocked and no network access is available. Should another client success-
fully authenticate through that port any unauthenticated clients on the

unauth-

vid are dropped from the port.

MAC-based Authentication

When a client connects to a MAC-Auth enabled port traffic is blocked. The
switch immediately submits the client’s MAC address (in the format specified
by the

addr-format) as its certification credentials to the RADIUS server for

authentication.

If the client is authenticated and the maximum number of MAC addresses
allowed on the port (

addr-limit) has not been reached, the port is assigned to

a static, untagged VLAN for network access.

The assigned VLAN is determined, in order of priority, as follows:

1.

If there is a RADIUS-assigned VLAN, then, for the duration of the client
session, the port belongs to this VLAN and temporarily drops all other
VLAN memberships.

2.

If there is no RADIUS-assigned VLAN, then, for the duration of the client
session, the port belongs to the Authorized VLAN (

auth-vid if configured)

and temporarily drops all other VLAN memberships.

3.

If neither 1 or 2, above, apply, but the port is an untagged member of a
statically configured, port-based VLAN, then the port remains in this
VLAN.