Software Fixes in Release M.08.51 - M.10.72

Release M.10.72

Drop offer from <DHCP server IP address> of <DHCP address offer> because the address is assigned to some other client

Drop request from <MAC address of client requesting an IP address that is already in use> for <IP address requested by client> because the address is assigned to some other client

DHCP—Snooping (PR_0000019155) DHCP-Snooping does not correctly identify that a packet is a fragment, and drops UDP Fragments if a hex value of 44 (68 Decimal) is present in the payload where the header is usually located (in a non-fragment).

Unauthenticated VLAN (PR_0000010533) — The switch allows an inherent configura- tion conflict; an unauthenticated VLAN (unauth-vid) can be configured concurrently for both 802.1X and Web/MAC authentication. This fix will not allow concurrent configuration of an unauth-vid for the aaa port-access authenticator and aaa port-access web-based or aaa port- access mac-based functions. Software versions that contain this fix will not allow the this configuration conflict at the CLI. Existing configurations will be altered by this fix, and an error will be reported at the switch CLI and event log.

Best Practice Tip: 802.1X should not have an unauthenticated VLAN setting when it works concurrently with Web-based or MAC-based authentication if the unauth-period in 802.1X is zero (the default value). Recall that the unauth-period is the time that 802.1X will wait for authenti- cation completion before the client will be authorized on an unauthenticated VLAN. If 802.1X is associated with an unauthenticated VLAN when the unauth-period is zero, Web- or MAC-auth may not get the opportunity to initiate authentication at all if the first packet from the client is an 802.1X packet. Alternatively, if the first packet sent was not 802.1X, Web- or MAC-auth could be initiated before 802.1X places the user in the unauthenticated VLAN and when Web- or MAC- auth completes successfully, it will be awaiting traffic (to enable VLAN assignment) from the client but the traffic will be restricted to the unauthenticated VLAN, and thus the client will remain there.

If a MAC- or Web-based configuration on a port is associated with an unauth-VID, and an attempt is made to configure an unauth-VID for 802.1X (port-access authenticator), the switch with this fix will reject the configuration change with a message similar to one of the following.

Message 1 (when an unauth-vid config is attempted on a port with an existing Web- or MAC-auth unauth-vid):

Configuration change denied for port <number>.Only Web or MAC- authenticator can have unauthenticated VLAN enabled if 802.1X authenticator is enabled on the same port. Please disable Web and MAC authentication on this port using the following commands:

"no aaa port-access web-based <PORT-LIST>" or "no aaa port-access mac-based <PORT-LIST>"

Then you can enable 802.1X authentication with unauthenticated VLAN. You can re-enable Web and/or MAC authentication after you remove the unauthenticated VLAN from 802.1X.Note that you can set unauthenti- cated VLAN for Web or MAC authentication instead.

185

Page 194 Page 196
Page 195
Image 195
HP 3400CL-24G manual 185
Page 194 Page 196
Top Page Image Contents