Configuring Port-Based and Client-Based Access Control (802.1X)

Displaying 802.1X Configuration, Statistics, and Counters

When the Unauth VLAN ID is configured and matches the Current VLAN ID in the above command output, an unauthenticated client is connected to the port. (This assumes the port is not a statically configured member of the VLAN you are using for Unauth VLAN.)

Note that because a temporary Open VLAN port assignment to either an authorized or unauthorized VLAN is an untagged VLAN membership, these assignments temporarily replace any other untagged VLAN membership that is statically configured on the port. For example, if port A12 is statically configured as an untagged member of VLAN 1, but is configured to use VLAN 25 as an authorized VLAN, then the port’s membership in VLAN 1 will be temporarily suspended whenever an authenticated 802.1X client is attached to the port.

Table 8-3. Open VLAN Mode Status

Status Indicator

Meaning

Port

Lists the ports configured as 802.1X port-access authenticators.

 

 

Status

Closed: Either no client is connected or the connected client has not received authorization through

 

802.1X authentication.

 

Open: An authorized 802.1X supplicant is connected to the port.

Access Control

This state is controlled by the following port-access command syntax:

ProCurve(config)# aaa port-access authenticator < port-list> control < authorized auto unauthorized >

 

Auto: Configures the port to allow network access to any connected device that supports 802.1X

 

authentication and provides valid 802.1X credentials. (This is the default authenticator setting.)

 

FA: Configures the port for “Force Authorized”, which allows access to any device connected to

 

the port, regardless of whether it meets 802.1X criteria. (You can still configure console, Telnet, or

 

SSH security on the port.)

 

FU: Configures the port for “Force Unauthorized”, which blocks access to any device connected

 

to the port, regardless of whether the device meets 802.1X criteria.

 

 

Authenticator State

Connecting: A client is connected to the port, but has not received 802.1X authentication.

 

Force Unauth: Indicates the “Force Unauthorized” state. Blocks access to the network, regardless

 

of whether the client supports 802.1X authentication or provides 802.1X credentials.

 

Force Auth: Indicates the “Force Authorized” state. Grants access to any device connected to the

 

port. The device does not have to support 802.1X authentication or provide 802.1X credentials.

 

Authorized: The device connected to the port supports 802.1X authentication, has provided 802.1X

 

credentials, and has received access to the network. This is the default state for access control.

 

Disconnected: No client is connected to the port.

 

 

Authenticator

Idle: The switch is not currently interacting with the RADIUS authentication server. Other states

Backend State

(Request, Response, Success, Fail, Timeout, and Initialize) may appear temporarily to indicate

 

interaction with a RADIUS server. However, these interactions occur quickly and are replaced by

 

Idle when completed.

8-51