Configuring Port-Based Access Control (802.1X)

Option For Authenticator Ports: Configure Port-Security To Allow Only 802.1X Devices

If an authenticated client loses authentication during a session in 802.1X Open VLAN mode, the port VLAN membership reverts back to the Unauthorized-Client VLAN. If there is no Unauthorized-Client VLAN configured, then the client loses access to the port until it can reauthenticate itself.

Option For Authenticator Ports:

Configure Port-Security To Allow Only

802.1X Devices

If you use port-security on authenticator ports, you can configure it to learn only the MAC address of the first 802.1X-aware device detected on the port. Then, only traffic from this specific device is allowed on the port. When this device logs off, another 802.1X-aware device can be authenticated on the port.

Syntax: port-security [ethernet] < port-list>

learn-mode port-access

 

Configures port-security on the specified port(s) to allow

 

only the first 802.1X-aware device the port detects.

 

action < none send-alarm send-disable >

 

Configures the port’s response (in addition to blocking

 

unauthorized traffic) to detecting an intruder.

 

 

N o t e

Port-Security operates with 802.1X authentication as described above only if

 

the selected ports are configured as 802.1X; that is with the control mode in

 

the port-access authenticator command set to auto. For example, to configure

 

port A10 for 802.1X authenticator operation and display the result:

 

ProCurve(config)# aaa port-access authenticator e A10

 

control auto

 

ProCurve(config)# show port-access authenticator e A10

 

config

 

 

8-32

Page 214
Image 214
HP 6108, 4100gl, 2650 (J4899A/B), 2626 (J4900A/B), 2600-PWR manual ProCurveconfig# aaa port-access authenticator e A10