beautypg.com

HP 4100GL User Manual

Page 159

background image

Configuring Port-Based Access Control (802.1x)

802.1x Open VLAN Mode

Condition

Rule

Multiple Authenticator Ports Using

You can use the same static VLAN as the Unauthorized-Client VLAN

the Same Unauthorized-Client and

for all 802.1x authenticator ports configured on the switch. Similarly,

Authorized-Client VLANs

you can use the same static VLAN as the Authorized-Client VLAN for
all 802.1x authenticator ports configured on the switch.
Caution: Do not use the same static VLAN for both the unauthorized
and the Authorized-Client VLAN. Using one VLAN for both creates a
security risk by defeating the isolation of unauthenticated clients.

Effect of Failed Client Authentication When there is an Unauthorized-Client VLAN configured on an 802.1x
Attempt

authenticator port, an unauthorized client connected to the port has
access only to the network resources belonging to the Unauthorized-
Client VLAN. (There can be an exception to this rule if the port is also
a tagged member of a statically configured VLAN. Refer to the Caution
on page page 6-21.) This access continues until the client disconnects
from the port. (If there is no Unauthorized-Client VLAN configured on
the authenticator port, the port simply blocks access for any unautho­
rized client that cannot be authenticated.)

Sources for an IP Address

A client can either acquire an IP address from a DHCP server or have

Configuration for a Client Connected a preconfigured, manual IP address before connecting to the switch.
to a Port Configured for 802.x Open
VLAN Mode

802.1x Supplicant Software for a

A friendly client, without 802.1x supplicant software, connecting to an

Client Connected to aPort Configured authenticator port must be able to download this software from the
for 802.1x Open VLAN Mode

Unauthorized-Client VLAN before authentication can begin.

N o t e :

If you use the same VLAN as the Unauthorized-Client VLAN for all authenti

-

cator ports, unauthenticated clients on different ports can communicate with
each other. However, in this case, you can improve security between authen

-

ticator ports by using the switch’s Source-Port filter feature. For example, if
you are using ports B1 and B2 as authenticator ports on the same Unautho

-

rized-Client VLAN, you can configure a Source-Port filter on B1 to drop all
packets from B2 and vice-versa.

6-25

See also other documents in the category HP Computer Accessories: