General 802.1X authenticator operation

This operation provides security on a point-to-point link between a client and the switch, where both devices are 802.1X-aware. If you expect desirable clients that do not have the necessary 802.1X supplicant software, you can provide a path for downloading such software by using the 802.1X Open VLAN mode, see 802.1X Open VLAN mode.

Example of the authentication process

Suppose you have configured a port on the switch for 802.1X authentication operation, which blocks access to the LAN through that port. If you then connect an 802.1X-aware client (supplicant) to the port and attempt to log on:

  1. The switch responds with an identity request.

  2. The client responds with a user name that uniquely defines this request for the client.

  3. The switch responds in one of the following ways:

    • If 802.1X on the switch is configured for RADIUS authentication, the switch then forwards the request to a RADIUS server.

      1. The server responds with an access challenge which the switch forwards to the client.

      2. The client then provides identifying credentials (such as a user certificate), which the switch forwards to the RADIUS server.

      3. The RADIUS server then checks the credentials provided by the client.

      4. If the client is successfully authenticated and authorized to connect to the network, then the server notifies the switch to allow access to the client. Otherwise, access is denied and the port remains blocked.

    • If 802.1X on the switch is configured for local authentication, then:

      1. The switch compares the client's credentials to the username and password configured in the switch (operator level).

      2. If the client is successfully authenticated and authorized to connect to the network, then the switch allows access to the client. Otherwise, access is denied and the port remains blocked for that client.


[NOTE: ]

NOTE: HP switches use either 802.1X port-based authentication or 802.1X user-based authentication. For more information, see User authentication methods.


VLAN membership priority

Following client authentication, an 802.1X port resumes membership in any tagged VLANs for which it is already assigned in the switch configuration. The port also becomes an untagged member of one VLAN according to the following order of options:

  1. 1st Priority: The port joins a VLAN to which it has been assigned by a RADIUS server during client authentication.

  2. 2nd Priority: If RADIUS authentication does not include assigning the port to a VLAN, then the switch assigns the port to the VLAN entered in the port's 802.1X configuration as an Authorized-Client VLAN, if configured.

  3. 3rd Priority: If the port does not have an Authorized-Client VLAN configured, but does have a static, untagged VLAN membership in its configuration, then the switch assigns the port to this VLAN.

A port assigned to a VLAN by an Authorized-Client VLAN configuration (or a RADIUS server) will be an untagged member of the VLAN for the duration of the authenticated session. This applies even if the port is also configured in the switch as a tagged member of the same VLAN.


[NOTE: ]

NOTE: On HP switches, using the same port for both RADIUS-assigned clients and clients using a configured, Authorized-Client VLAN is not recommended. Doing so can result in authenticated clients with mutually exclusive VLAN priorities, meaning some authenticated clients can be denied access to the port. See Priority of VLAN assignment for an authenticated client.


Priority of VLAN assignment for an authenticated client

Priority of VLAN assignment for an authenticated client