13-5
Configuring Port-Based and User-Based Access Control (802.1X)
Terminology
Authorized-Client VLAN: Like the Unauthorized-Client VLAN, this is a
conventional, static VLAN previously configured on the switch by the
System Administrator. The intent in using this VLAN is to provide authen-
ticated clients with network services that are not available on either the
port’s statically configured VLAN memberships or any VLAN member-
ships that may be assigned during the RADIUS authentication process.
While an 802.1X port is a member of this VLAN, the port is untagged. When
a port loses its authenticated client connection, it drops its membership
in this VLAN. Note that with multiple clients on a port, all such clients use
the same untagged, port-based VLAN membership.
Authentication Server: The entity providing an authentication service to
the switch when the switch is configured to operate as an authenticator.
In the case of a switch running 802.1X, this is a RADIUS server (unless
local authentication is used, in which case the switch performs this
function using its own username and password for authenticating a
supplicant).
Authenticator: In HP applications, a switch that requires a supplicant to
provide the proper credentials before being allowed access to the net-
work.
CHAP (MD5): Challenge Handshake Authentication Protocol.
Client: In this application, an end-node device such as a management station,
workstation, or mobile PC linked to the switch through a point-to-point
LAN link.
User-Based Authentication: The 802.1X extension in the switches covered
in this guide. In this operation, multiple clients on the same port must
individually authenticate themselves.
Guest VLAN: See “Unauthorized-Client VLAN”.
EAP (Extensible Authentication Protocol): EAP enables network access that
supports multiple authentication methods.
EAPOL: Extensible Authentication Protocol Over LAN,
as defined in the
802.1X standard.
Friendly Client: A client that does not pose a security risk if given access to
the switch and your network.
MD5: An algorithm for calculating a unique digital signature over a stream of
bytes. It is used by CHAP to perform authentication without revealing the
shared secret (password).
To Next Page
Loading...
