HP 6120G/XG HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 367
Effect of Failed Client Authentication, Effect of Authorized-Client VLAN
View all HP 6120G/XG manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 367 highlights
Configuring Port-Based and User-Based Access Control (802.1X) 802.1X Open VLAN Mode Condition Effect of Unauthorized-Client VLAN session on untagged port VLAN membership Effect of Authorized-Client VLAN session on untagged port VLAN membership. Rule • When an unauthenticated client connects to a port that is already configured with a static, untagged VLAN, the switch temporarily moves the port to the Unauthorized-Client VLAN (also untagged). (While the Unauthorized-Client VLAN is in use, the port does not access any other VLANs.) • If the client disconnects, the port leaves the Unauthorized-Client VLAN and re-acquires membership in all the statically configured VLANs to which it belongs. • If the client becomes authenticated, the port leaves the Unauthenticated-Client VLAN and joins the appropriate VLAN. (Refer to "VLAN Membership Priorities" on page 10-30. • In the case of the multiple clients allowed on switches, if an authenticated client is already using the port for a different VLAN, then any other unauthenticated clients needing to use the Unauthorized-Client VLAN are blocked. • When a client becomes authenticated on a port that is already configured with a static, untagged VLAN, the switch temporarily moves the port to the Authorized-Client VLAN (also untagged). While the Authorized-Client VLAN is in use, the port does not have access to the statically configured, untagged VLAN. • When the authenticated client disconnects, the switch removes the port from the Authorized-Client VLAN and moves it back to the untagged membership in the statically configured VLAN. (After client authentication, the port resumes any tagged VLAN memberships for which it is already configured. For details, refer to the Note on page 10-31.) Note: This rule assumes: • No alternate VLAN has been assigned by a RADIUS server. • No other authenticated clients are already using the port. Multiple Authenticator Ports Using the Same Unauthorized-Client and Authorized-Client VLANs You can use the same static VLAN as the Unauthorized-Client VLAN for all 802.1X authenticator ports configured on the switch. Similarly, you can use the same static VLAN as the Authorized-Client VLAN for all 802.1X authenticator ports configured on the switch. Caution: Do not use the same static VLAN for both the unauthorizedclient VLAN and the authorized-client VLAN. Using one VLAN for both creates a security risk by defeating the isolation of unauthenticated clients. Effect of Failed Client Authentication When there is an Unauthorized-Client VLAN configured on an 802.1X Attempt authenticator port, an unauthorized client connected to the port has This rule assumes no other authenticated clients are already using the port on a access only to the network resources belonging to the UnauthorizedClient VLAN. This access continues until the client disconnects from different VLAN. the port. (If there is no Unauthorized-Client VLAN configured on the authenticator port, the port simply blocks access for any unauthorized client.) 10-37