HP procurve 2500 Manuale Utente
49
Enhancements in Release F.05.05 through F.05.70
Enhancements in Release F.05.05 through F.05.60
Enhancements in Release F.05.05 through F.05.60
N o t e :
If you use the same VLAN as the Unauthorized-Client VLAN for all authenticator ports, unauthenti-
cated clients on different ports can communicate with each other. However, in this case, you can
improve security between authenticator ports by using the switch’s Source-Port filter feature. For
example, if you are using ports 1 and 2 as authenticator ports on the same Unauthorized-Client VLAN,
you can configure a Source-Port filter on 1 to drop all packets from 2 and the reverse.
cated clients on different ports can communicate with each other. However, in this case, you can
improve security between authenticator ports by using the switch’s Source-Port filter feature. For
example, if you are using ports 1 and 2 as authenticator ports on the same Unauthorized-Client VLAN,
you can configure a Source-Port filter on 1 to drop all packets from 2 and the reverse.
Multiple Authenticator Ports Using
the Same Unauthorized-Client and
Authorized-Client VLANs
the Same Unauthorized-Client and
Authorized-Client VLANs
You can use the same static VLAN as the Unauthorized-Client VLAN
for all 802.1X authenticator ports configured on the switch. Similarly,
you can use the same static VLAN as the Authorized-Client VLAN for
all 802.1X authenticator ports configured on the switch.
Caution: Do not use the same static VLAN for both the unauthorized
and the Authorized-Client VLAN. Using one VLAN for both creates a
security risk by defeating the isolation of unauthenticated clients.
for all 802.1X authenticator ports configured on the switch. Similarly,
you can use the same static VLAN as the Authorized-Client VLAN for
all 802.1X authenticator ports configured on the switch.
Caution: Do not use the same static VLAN for both the unauthorized
and the Authorized-Client VLAN. Using one VLAN for both creates a
security risk by defeating the isolation of unauthenticated clients.
Effect of Failed Client Authentication
Attempt
Attempt
When there is an Unauthorized-Client VLAN configured on an 802.1X
authenticator port, an unauthorized client connected to the port has
access only to the network resources belonging to the Unauthorized-
Client VLAN. (There can be an exception to this rule if the port is also
a tagged member of a statically configured VLAN. Refer to the Caution
on page 45.) This access continues until the client disconnects from the port. (If there is no Unauthorized-Client VLAN configured on the
authenticator port, the port simply blocks access for any unauthorized
client that cannot be authenticated.)
authenticator port, an unauthorized client connected to the port has
access only to the network resources belonging to the Unauthorized-
Client VLAN. (There can be an exception to this rule if the port is also
a tagged member of a statically configured VLAN. Refer to the Caution
on page 45.) This access continues until the client disconnects from the port. (If there is no Unauthorized-Client VLAN configured on the
authenticator port, the port simply blocks access for any unauthorized
client that cannot be authenticated.)
Sources for an IP Address Configura-
tion for a Client Connected to a Port
Configured for 802.x Open VLAN
Mode
tion for a Client Connected to a Port
Configured for 802.x Open VLAN
Mode
A client can either acquire an IP address from a DHCP server or have
a preconfigured, manual IP address before connecting to the switch.
a preconfigured, manual IP address before connecting to the switch.
802.1X Supplicant Software for a
Client Connected to aPort Configured
for 802.1X Open VLAN Mode
Client Connected to aPort Configured
for 802.1X Open VLAN Mode
A friendly client, without 802.1X supplicant software, connecting to an
authenticator port must be able to download this software from the
Unauthorized-Client VLAN before authentication can begin.
authenticator port must be able to download this software from the
Unauthorized-Client VLAN before authentication can begin.
Condition
Rule