HP GbE2c HP GbE2c Ethernet Blade Switch for c-Class BladeSystem Application Gu - Page 41

802.1x port states The state of the port determines whether the client is granted access to the network, as follows: • Unauthorized-While in this state, the port discards all ingress and egress traffic except EAP packets. • Authorized-When the client is authenticated successfully, the port transitions to the authorized state allowing all traffic to and from the client to flow normally. • Force Unauthorized-You can configure this state that denies all access to the port. • Force Authorized-You can configure this state that allows full access to the port. Use the 802.1x Global Configuration Menu (/cfg/l2/8021x/global) to configure 802.1x authentication for all ports in the switch. Use the 802.1x Port Menu (/cfg/l2/8021x/port x) to configure a single port. Supported RADIUS attributes The GbE2c 802.1x Authenticator relies on external RADIUS servers for authentication with EAP. The following table lists the RADIUS attributes that are supported as part of RADIUS-EAP authentication based on the guidelines specified in Annex D of the 802.1x standard and RFC 3580. Table 9 EAP support for RADIUS attributes # Attribute Attribute Value A-R A-A A-C A-R 1 User-Name The value of the Type-Data field from the 1 0-1 0 0 supplicant's EAP-Response/Identity message. If the Identity is unknown (i.e. Type-Data field is zero bytes in length), this attribute will have the same value as the Calling-Station-Id. 4 NAS-IP-Address IP address of the authenticator used for 1 0 0 0 RADIUS communication. 5 NAS-Port Port number of the authenticator port to 1 0 0 0 which the supplicant is attached. 24 State Server-specific value. This is sent 0-1 0-1 0-1 0 unmodified back to the server in an Access-Request that is in response to an Access-Challenge. 30 Called-Station-ID The MAC address of the authenticator 1 0 0 0 encoded as an ASCII string in canonical format, e.g. 000D5622E3 9F. 31 Calling-Station-ID The MAC address of the supplicant 1 0 0 0 encoded as an ASCII string in canonical format, e.g. 00034B436206. 79 EAP-Message Encapsulated EAP packets from the 1+ 1+ 1+ 1+ supplicant to the authentication server (Radius) and vice-versa. The authenticator relays the decoded packet to both devices. 80 Message-Authentica- Always present whenever an EAP-Message 1 1 1 1 tor attribute is also included. Used to integrity- protect a packet. 87 NAS-Port-ID Name assigned to the authenticator port, 1 0 0 0 e.g. Server1_Port3 Legend: RADIUS Packet Types: A-R (Access-Request), A-A (Access-Accept), A-C (Access-Challenge), A-R (Access-Reject) RADIUS Attribute Support: 0 This attribute MUST NOT be present in a packet. 0+ Zero or more instances of this attribute MAY be present in a packet. 0-1 Zero or one instance of this attribute MAY be present in a packet. 1 Exactly one instance of this attribute MUST be present in a packet. 1+ One or more of these attributes MUST be present. Port-based Network Access and traffic control 41