HP procurve 2500 Manuale Utente
36
Enhancements in Release F.05.05 through F.05.70
Enhancements in Release F.05.05 through F.05.60
General Setup Procedure for Port-Based Access Control (802.1X)
Do These Steps Before You Configure 802.1X Operation
1.
Configure a local username and password on the switch for both the Operator (login) and
Manager (enable) access levels. (While this may or may not be required for your 802.1X
configuration, HP recommends that you use a local username and password pair at least until
your other security measures are in place.)
Manager (enable) access levels. (While this may or may not be required for your 802.1X
configuration, HP recommends that you use a local username and password pair at least until
your other security measures are in place.)
2.
Determine which ports on the switch you want to operate as authenticators and/or supplicants,
and disable LACP on these ports. (See the “Note on 802.1X and LACP” on page -35.)
and disable LACP on these ports. (See the “Note on 802.1X and LACP” on page -35.)
3.
Determine whether to use the optional 802.1X Open VLAN mode for clients that are not 802.1X-
aware; that is, for clients that are not running 802.1X supplicant software. (This will require you
to provide downloadable software that the client can use to enable an authentication session.)
For more on this topic, refer to “802.1X Open VLAN Mode” on page -44.
aware; that is, for clients that are not running 802.1X supplicant software. (This will require you
to provide downloadable software that the client can use to enable an authentication session.)
For more on this topic, refer to “802.1X Open VLAN Mode” on page -44.
4.
For each port you want to operate as a supplicant, determine a username and password pair.
You can either use the same pair for each port or use unique pairs for individual ports or
subgroups of ports. (This can also be the same local username/password pair that you assign
to the switch.)
You can either use the same pair for each port or use unique pairs for individual ports or
subgroups of ports. (This can also be the same local username/password pair that you assign
to the switch.)
5.
Unless you are using only the switch’s local username and password for 802.1X authentication,
configure at least one RADIUS server to authenticate access requests coming through the ports
on the switch from external supplicants (including switch ports operating as 802.1X suppli-
cants). You can use up to three RADIUS servers for authentication; one primary and two
backups. Refer to the documentation provided with your RADIUS application.
configure at least one RADIUS server to authenticate access requests coming through the ports
on the switch from external supplicants (including switch ports operating as 802.1X suppli-
cants). You can use up to three RADIUS servers for authentication; one primary and two
backups. Refer to the documentation provided with your RADIUS application.
Overview: Configuring 802.1X Authentication on the Switch
This section outlines the steps for configuring 802.1X on the switch. For detailed information on each
step, refer to “Configuring RADIUS Authentication and Accounting” on page -102 or “Configuring
Switch Ports To Operate As Supplicants for 802.1X Connections to Other Switches” on page -57.
step, refer to “Configuring RADIUS Authentication and Accounting” on page -102 or “Configuring
Switch Ports To Operate As Supplicants for 802.1X Connections to Other Switches” on page -57.
1.
Enable 802.1X authentication on the individual ports you want to serve as authenticators. On
the ports you will use as authenticators, either accept the default 802.1X settings or change
them, as necessary. Note that, by default, the port-control parameter is set to
the ports you will use as authenticators, either accept the default 802.1X settings or change
them, as necessary. Note that, by default, the port-control parameter is set to
auto for all ports
on the switch. This requires a client to support 802.1X authentication and to provide valid
credentials to get network access. Refer to page -39.
credentials to get network access. Refer to page -39.
2.
If you want to provide a path for clients without 802.1X supplicant software to download the
software so that they can initiate an authentication session, enable the 802.1X Open VLAN mode
on the ports you want to support this feature. Refer to page 44.
software so that they can initiate an authentication session, enable the 802.1X Open VLAN mode
on the ports you want to support this feature. Refer to page 44.