This section describes how to use the 802.1X Open VLAN mode to provide a path for clients that need to acquire 802.1X supplicant software before proceeding with the authentication process. The Open VLAN mode involves options for configuring unauthorized-client and authorized-client VLANs on ports configured as 802.1X authenticators.
Configuring the 802.1X Open VLAN mode on a port changes how the port responds when it detects a new client. In earlier releases, a “friendly” client computer not running 802.1X supplicant software could not be authenticated on a port protected by 802.1X access security. As a result, the port would become blocked and the client could not access the network. This prevented the client from:
-
Acquiring IP addressing from a DHCP server
-
Downloading the 802.1X supplicant software necessary for an authentication session
The 802.1X Open VLAN mode solves this problem by temporarily suspending the port’s static VLAN memberships and placing the port in a designated Unauthorized-Client VLAN (sometimes termed a guest VLAN). In this state the client can proceed with initialization services, such as acquiring IP addressing and 802.1X client software, and starting the authentication process.
Following client authentication, an 802.1X port resumes membership in any tagged VLANs for which it is already assigned in the switch configuration. The port also becomes an untagged member of one VLAN according to the following order of options:
-
1st Priority: The port joins a VLAN to which it has been assigned by a RADIUS server during client authentication.
-
2nd Priority: If RADIUS authentication does not include assigning the port to a VLAN, then the switch assigns the port to the VLAN entered in the port’s 802.1X configuration as an Authorized-Client VLAN, if configured.
-
3rd Priority: If the port does not have an Authorized-Client VLAN configured, but does have a static, untagged VLAN membership in its configuration, then the switch assigns the port to this VLAN.
A port assigned to a VLAN by an Authorized-Client VLAN configuration (or a RADIUS server) will be an untagged member of the VLAN for the duration of the authenticated session. This applies even if the port is also configured in the switch as a tagged member of the same VLAN.
|
|
NOTE: After client authentication, the port resumes membership in any tagged VLANs for which it is configured. If the port is a tagged member of a VLAN used for 1 or 2 listed above, then it also operates as an untagged member of that VLAN while the client is connected. When the client disconnects, the port reverts to tagged membership in the VLAN. |
|
|
You can apply the 802.1X Open VLAN mode in more than one way. Depending on your use, you will need to create one or two static VLANs on the switch for exclusive use by per-port 802.1X Open VLAN mode authentication:
-
Unauthorized-Client VLAN: Configure this VLAN when unauthenticated, friendly clients will need access to some services before being authenticated or instead of being authenticated.
-
Authorized-Client VLAN: Configure this VLAN for authenticated clients when the port is not statically configured as an untagged member of a VLAN you want clients to use, or when the port is statically configured as an untagged member of a VLAN you do not want clients to use. (A port can be configured as untagged on only one port-based VLAN. When an Authorized-Client VLAN is configured, it will always be untagged and will block the port from using a statically configured, untagged membership in another VLAN.) Note that after client authentication, the port returns to membership in any tagged VLANs for which it is configured. See “Note”.
802.1x per-port configuration
802.1X per-port configuration | Port response | ||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
No Open VLAN mode: | The port automatically blocks a client that cannot initiate an authentication session. | ||||||||||||
Open VLAN mode with both of the following configured: | Unauthorized-client VLAN:
|
||||||||||||
Authorized-client VLAN:
|
|||||||||||||
Open VLAN mode with only an unauthorized-client VLAN configured: |
|
||||||||||||
Open VLAN mode with only an authorized-client VLAN configured: |
|
Condition for authorized client and unauthorized client VLANs
Condition | Rule | ||||||
---|---|---|---|---|---|---|---|
Static VLANs used as authorized-client or unauthorized-client VLANs |
These must be configured on the switch before you configure an 802.1X authenticator port to use them. (Use the |
||||||
VLAN assignment received from a RADIUS server |
If the RADIUS server specifies a VLAN for an authenticated supplicant connected to an 802.1X authenticator port, this VLAN assignment overrides any Authorized-Client VLAN assignment configured on the authenticator port. This is because membership in both VLANs is untagged, and the switch allows only one untagged, port-based VLAN membership per-port. For example, suppose you configured port A4 to place authenticated supplicants in VLAN 20. If a RADIUS server authenticates supplicant “A” and assigns this supplicant to VLAN 50, then the port can access VLAN 50 as an untagged member while the client session is running. When the client disconnects from the port, then the port drops these assignments and uses the untagged VLAN memberships for which it is statically configured. (After client authentication, the port resumes any tagged VLAN memberships for which it is already configured. |
||||||
Temporary VLAN membership during a client session |
|
||||||
Effect of unauthorized-client VLAN session on untagged port VLAN membership |
|
||||||
Effect of authorized-client VLAN session on untagged port VLAN membership. |
|
||||||
Multiple authenticator ports using the same unauthorized-client and authorized-client VLANs |
You can use the same static VLAN as the Unauthorized-Client VLAN for all 802.1X authenticator ports configured on the switch. Similarly, you can use the same static VLAN as the Authorized-Client VLAN for all 802.1X authenticator ports configured on the switch.
|
||||||
Effect of filed client authentication attempt This rule assumes no other authenticated clients are already using the port on a different VLAN. |
When there is an Unauthorized-Client VLAN configured on an 802.1X authenticator port, an unauthorized client connected to the port has access only to the network resources belonging to the Unauthorized- Client VLAN. This access continues until the client disconnects from the port. (If there is no Unauthorized-Client VLAN configured on the authenticator port, the port simply blocks access for any unauthorized client.) |
||||||
Effect of RADIUS-assigned VLAN This rule assumes no other authenticated clients are already using the port on a different VLAN. |
The port joins the RADIUS-assigned VLAN as an untagged member. |
||||||
IP Addressing for a client connected to a port configured for 802.x Open VLAN mode |
A client can either acquire an IP address from a DHCP server or use a manually configured IP address before connecting to the switch. |
||||||
802.1X supplicant software for a client connected to a port configured for 802.1X Open VLAN mode |
A friendly client, without 802.1X supplicant software, connecting to an authenticator port must be able to download this software from the Unauthorized-Client VLAN before authentication can begin. |
||||||
Switch with a port configured to allow multiple authorized-client sessions |
When a new client is authenticated on a given port:
|
||||||
Limitation on using an unauthorized-client VLAN on an 802.1X port configured to allow multiple-client access |
You can optionally enable switches to allow up to 32 clients per-port. The Unauthorized-Client VLAN feature can operate on an 802.1X-configured port regardless of how many clients the port is configured to support. However, all clients on the same port must operate through the same untagged VLAN membership. (See MAC-based VLANs). This means that any client accessing a given port must be able to authenticate and operate on the same VLAN as any other previously authenticated clients that are currently using the port. Thus, an Unauthorized-Client VLAN configured on a switch port that allows multiple 802.1X clients cannot be used if there is already an authenticated client using the port on another VLAN. Also, a client using the Unauthenticated-Client VLAN will be blocked when another client becomes authenticated on the port. For this reason, the best utilization of the Unauthorized-Client VLAN feature is in instances where only one client is allowed per-port. Otherwise, unauthenticated clients are subject to being blocked at any time by authenticated clients using a different VLAN. (Using the same VLAN for authenticated and unauthenticated clients can create a security risk and is not recommended.) |
|
|
NOTE: If you use the same VLAN as the Unauthorized-Client VLAN for all authenticator ports, unauthenticated clients on different ports can communicate with each other. |
|
|
Preparation:
This section assumes use of both the unauthorized-client and authorized-client VLANs.
Before you configure the 802.1X Open VLAN mode on a port:
-
Statically configure an Unauthorized-Client VLAN in the switch. The only ports that should belong to this VLAN are ports offering services and access you want available to unauthenticated clients. (802.1X authenticator ports do not have to be members of this VLAN.)
CAUTION: Do not allow any port memberships or network services on this VLAN that would pose a security risk if exposed to an unauthorized client.
-
Statically configure an Authorized-Client VLAN in the switch. The only ports that should belong to this VLAN are ports offering services and access you want available to authenticated clients. 802.1X authenticator ports do not have to be members of this VLAN.
Note that if an 802.1X authenticator port is an untagged member of another VLAN, the port’s access to that other VLAN will be temporarily removed while an authenticated client is connected to the port.
For example, if:
-
Port 5 is an untagged member of VLAN 1 (the default VLAN).
-
You configure port 5 as an 802.1X authenticator port.
-
You configure port 5 to use an Authorized-Client VLAN.
Then, if a client connects to port 5 and is authenticated, port 5 becomes an untagged member of the Authorized-Client VLAN and is temporarily suspended from membership in the default VLAN.
-
-
If you expect friendly clients to connect without having 802.1X supplicant software running, provide a server on the Unauthorized-Client VLAN for downloading 802.1X supplicant software to the client, and a procedure by which the client initiates the download.
-
A client must either have a valid IP address configured before connecting to the switch, or download one through the Unauthorized-Client VLAN from a DHCP server. In the latter case, you will need to provide DHCP services on the Unauthorized-Client VLAN.
-
Ensure that the switch is connected to a RADIUS server configured to support authentication requests from clients using ports configured as 802.1X authenticators. (The RADIUS server should not be on the Unauthorized-Client VLAN.)
NOTE: As an alternative, you can configure the switch to use local password authentication instead of RADIUS authentication. However, this is less desirable because it means that all clients use the same passwords and have the same access privileges. Also, you must use 802.1X supplicant software that supports the use of local switch passwords.
CAUTION: Ensure that you do not introduce a security risk by allowing Unauthorized- Client VLAN access to network services or resources that could be compromised by an unauthorized client.
These steps enable 802.1X authentication, and must be done before configuring 802.1X VLAN operation.
-
Enable 802.1X authentication on the individual ports you want to serve as authenticators. (The switch automatically disables LACP on the ports on which you enable 802.1X.) On the ports you will use as authenticators with VLAN operation, ensure that the port-control parameter is set to
auto
(the default). (See Enable 802.1X authentication on selected ports.) This setting requires a client to support 802.1X authentication (with 802.1X supplicant operation) and to provide valid credentials to get network access.Syntax:
-
Configure the 802.1X authentication type. Options include:
Syntax:
-
If you selected either
eap-radius
orchap-radius
for step 2, use theradius host
command to configure up to three RADIUS server IP address(es) on the switch.Syntax:
Adds a server to the RADIUS configuration.
The
oobm
option specifies that the RADIUS traffic will go through the out-of-band management (OOBM) port.Optional. Specifies an encryption key for use with the specified server. This key must match the key used on the RADIUS server. Use this option only if the specified server requires a different key than configured for the global encryption key The tilde (~) character is allowed in the string. It is not backward compatible; the “~” character is lost if you use a software version that does not support the “~” character.
Syntax:
Specifies the global encryption key the switch uses for sessions with servers for which the switch does not have a server-specific key. This key is optional if all RADIUS server addresses configured in the switch include a server- specific encryption key. The tilde (~) character is allowed in the string, for example,
radius-server key hp~switch
. It is not backward compatible; the “~” character is lost if you use a software version that does not support the “~” character.The
no
form of the command removes the global encryption key. -
Activate authentication on the switch.
Syntax:
-
Test both the authorized and unauthorized access to your system to ensure that the 802.1X authentication works properly on the ports you have configured for port-access.
|
|
NOTE: If you want to implement the optional port-security feature on the switch, you should first ensure that the ports you have configured as 802.1X authenticators operate as expected. Then see Option for authenticator ports: configure port-security to allow only 802.1X-authenticated devices. |
|
|
After you complete steps 1 and 2, the configured ports are enabled for 802.1X authentication (without VLAN operation), and you are ready to configure VLAN Operation.
Use these commands to actually configure Open VLAN mode. For a listing of the steps needed to prepare the switch for using Open VLAN mode, see Setting up and configuring 802.1X Open VLAN mode.
Syntax:
For example, suppose you want to configure 802.1X port-access with Open VLAN mode on ports 10-20 and
HP Switch(config)# aaa authentication port-access eap-radiusHP Switch(config)# aaa port-access authenticator 10-20HP Switch(config)# radius host 10.28.127.101 key rad4allConfigures the switch to look for a RADIUS server with an IP address of 10.28.127.101 and an encryption key of rad4all.
HP Switch(config)# aaa port-access authenticator e 10-20 unauth-vid 80HP Switch(config)# aaa port-access authenticator e 10-20 auth-vid 81HP Switch(config)# aaa port-access authenticator active
For information and an example on viewing current Open VLAN mode operation, see Viewing 802.1X Open VLAN mode status.
-
Although you can configure Open VLAN mode to use the same VLAN for both the Unauthorized-Client VLAN and the Authorized-Client VLAN, this is not recommended. Using the same VLAN for both purposes allows unauthenticated clients access to a VLAN intended only for authenticated clients, which poses a security breach.
-
While an Unauthorized-Client VLAN is in use on a port, the switch temporarily removes the port from any other statically configured VLAN for which that port is configured as a member. Note that the Menu interface will still display the port’s statically configured VLAN(s).
-
A VLAN used as the Unauthorized-Client VLAN should not allow access to resources that must be protected from unauthenticated clients.
-
If a port is configured as a tagged member of VLAN “X”, then the port returns to tagged membership in VLAN “X” upon successful client authentication. This happens even if the RADIUS server assigns the port to another, authorized VLAN “Y”. Note that if RADIUS assigns VLAN “X” as an authorized VLAN, then the port becomes an untagged member of VLAN “X” for the duration of the client connection. (If there is no Authorized-Client or RADIUS-assigned VLAN, then an authenticated client without tagged VLAN capability can access only a statically configured, untagged VLAN on that port.)
-
When a client’s authentication attempt on an Unauthorized-Client VLAN fails, the port remains a member of the Unauthorized-Client VLAN until the client disconnects from the port.
-
During an authentication session on a port in 802.1X Open VLAN mode, if RADIUS specifies membership in an untagged VLAN, this assignment overrides port membership in the Authorized-Client VLAN. If there is no Authorized-Client VLAN configured, then the RADIUS assignment overrides any untagged VLAN for which the port is statically configured.
-
If the only authenticated client on a port loses authentication during a session in 802.1X Open VLAN mode, the port VLAN membership reverts back to the Unauthorized-Client VLAN. If there is no Unauthorized-Client VLAN configured, then the client loses access to the port until it can reauthenticate itself. If there are multiple clients authenticated on the port, if one client loses access and attempts to re-authenticate, that client will be handled as a new client on the port.
-
The first client to authenticate on a port configured to support multiple clients will determine the port’s VLAN membership for any subsequent clients that authenticate while an active session is already in effect.