- Community Home
- >
- Networking
- >
- Legacy
- >
- Switches, Hubs, Modems
- >
- Re: ProCurve 2910AL
Switches, Hubs, and Modems
1753855
Members
7436
Online
108808
Solutions
Forums
Categories
Company
Local Language
back
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Discussions
back
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Blogs
Information
Community
Resources
Community Language
Language
Forums
Blogs
Topic Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-17-2009 02:15 PM
04-17-2009 02:15 PM
ProCurve 2910AL
Hi all,
By looking at the new ProCurve 2910AL I am now convinced that ProCurve is the way to go for an access layer switch solution.
I have a question in regards to this feature.
"Multiple IEEE 802.1X users per port: provides authentication of up to eight IEEE 802.1X users per port; prevents user "piggybacking" on another user's IEEE 802.1X authentication"
Does this feature allow me to have a multihost connection up to 8 users? So for example some of my offices have 1 wall jack (plugs into a random port on a 3com switch) and 2 - 4 people share the same jack (I put an unmanaged switch there). My goal is to have everybody authenticate via 802.1x.
I was looking at the Catalyst 2960 and their multihost function will allow 1 user to authenticate after they authenticate everybody else that plugs into a switch will automatically have network access. I want to prevent this
Does this Multiple 802.1x per port allow me to authenticate an 802.1x connection separately. What I mean by that is for example if Joe authenticates to the port and Sally plugs in right after, she will be denied network access until she authenticates.
I term "piggybacking" (on the feature) confused me I think piggybacking is what they refer to a Multihost connection where one user authenticates and whoever plugs in after don't have to,
Sorry guys I kind of rushed up my explanation here if anybody needs me to elaborate just let me know. I am defiantly want to purchase this switch if these feature is what I think it is its going to make my day alot better.
Thanks guys
Cheers
By looking at the new ProCurve 2910AL I am now convinced that ProCurve is the way to go for an access layer switch solution.
I have a question in regards to this feature.
"Multiple IEEE 802.1X users per port: provides authentication of up to eight IEEE 802.1X users per port; prevents user "piggybacking" on another user's IEEE 802.1X authentication"
Does this feature allow me to have a multihost connection up to 8 users? So for example some of my offices have 1 wall jack (plugs into a random port on a 3com switch) and 2 - 4 people share the same jack (I put an unmanaged switch there). My goal is to have everybody authenticate via 802.1x.
I was looking at the Catalyst 2960 and their multihost function will allow 1 user to authenticate after they authenticate everybody else that plugs into a switch will automatically have network access. I want to prevent this
Does this Multiple 802.1x per port allow me to authenticate an 802.1x connection separately. What I mean by that is for example if Joe authenticates to the port and Sally plugs in right after, she will be denied network access until she authenticates.
I term "piggybacking" (on the feature) confused me I think piggybacking is what they refer to a Multihost connection where one user authenticates and whoever plugs in after don't have to,
Sorry guys I kind of rushed up my explanation here if anybody needs me to elaborate just let me know. I am defiantly want to purchase this switch if these feature is what I think it is its going to make my day alot better.
Thanks guys
Cheers
1 REPLY 1
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-18-2009 06:22 AM
04-18-2009 06:22 AM
Re: ProCurve 2910AL
hi
2910 switch one port more than 8 users 802.1x connection piggybacking feature
if you want connect 4 users on same port (with unmanagemet switch )and all user individual authorization with radius, it is possible
my advice 2910 switch port 10 (connected unmanagemet switch )you make 802.1x client limit config
(config)# aaa port-access authenticator 10
client-limit 4
in this way only four clients connect this port and each client individual authorization
not:all clients must have same vlan
****************************************
User Authentication Methods
The switch offers two methods for using 802.1X access control. Generally, the â Port Basedâ method supports one 802.1X-authenticated client on a port, which opens the port to an unlimited number of clients. The â User-Basedâ method supports up to eight 802.1X-authenticated clients on a port. In both cases, there are operating details to be aware of that can influence your choice of methods.
802.1X User-Based Access Control
802.1X operation with access control on a per-user basis provides client-level security that allows LAN access to individual 802.1X clients (up to eight per port), where each client gains access to the LAN by entering valid user
credentials. This operation improves security by opening a given port only to individually authenticated clients, while simultaneously blocking access to the same port for clients that cannot be authenticated. All sessions must use the same untagged VLAN. Also, an authenticated client can use any tagged VLAN memberships statically configured on the port, provided the client is configured to use the tagged VLAN memberships available on the port. (Note that the session total includes any sessions begun by the Web Authentication or MAC Authentication features covered in chapter 3.) For more information, refer to â Option For Authenticator Ports: Configure Port-Security To Allow Only 802.1X-Authenticated Devicesâ on page 12-47.
802.1X Port-Based Access Control
802.1X port-based access control provides port-level security that allows LAN access only on ports where a single 802.1X-capable client (supplicant) has entered authorized RADIUS user credentials. For reasons outlined below, this option is recommended for applications where only one client at a time can connect to the port. Using this option, the port processes all traffic as if it comes from the same client. Thus, in a topology where multiple clients can connect to the same port at the same time:
â
If the first client authenticates and opens the port, and then another client authenticates, the port responds as if the original client has initiated a reauthentication. With multiple clients authenticating on the port, the RADIUS configuration response to the latest client authentication replaces any other configuration from an earlier client authentication. If all clients use the same configuration this should not be a problem. But if the RADIUS server responds with different configurations for different clients, then the last client authenticated will effectively lock out any previously authenticated client. When any client to authenticate closes its session, the port will also close and remain so until another client successfully authenticates.
â
The most recent client authentication determines the untagged VLAN membership for the port. Also, any client able to use the port can access any tagged VLAN memberships statically configured on the port, provided the client is configured to use the available, tagged VLAN memberships.
â
If the first client authenticates and opens the port, and then one or more other clients connect without trying to authenticate, then the port configuration as determined by the original RADIUS response remains unchanged and all such clients will have the same access as the authenticated client. When the authenticated client closes the session, the port will also be closed to any other, unauthenticated clients that may have also been using the port.
12This operation unblocks the port while an authenticated client session is in progress. In topologies where simultaneous, multiple client access is possible this can allow unauthorized and unauthenticated access by another client while an authenticated client is using the port. If you want to allow only authenticated clients on the port, then user-based access control (page 12-4) should be used instead of port-based access control. Using the user-based method enables you to specify up to eight authenticated clients.
2910 switch one port more than 8 users 802.1x connection piggybacking feature
if you want connect 4 users on same port (with unmanagemet switch )and all user individual authorization with radius, it is possible
my advice 2910 switch port 10 (connected unmanagemet switch )you make 802.1x client limit config
(config)# aaa port-access authenticator 10
client-limit 4
in this way only four clients connect this port and each client individual authorization
not:all clients must have same vlan
****************************************
User Authentication Methods
The switch offers two methods for using 802.1X access control. Generally, the â Port Basedâ method supports one 802.1X-authenticated client on a port, which opens the port to an unlimited number of clients. The â User-Basedâ method supports up to eight 802.1X-authenticated clients on a port. In both cases, there are operating details to be aware of that can influence your choice of methods.
802.1X User-Based Access Control
802.1X operation with access control on a per-user basis provides client-level security that allows LAN access to individual 802.1X clients (up to eight per port), where each client gains access to the LAN by entering valid user
credentials. This operation improves security by opening a given port only to individually authenticated clients, while simultaneously blocking access to the same port for clients that cannot be authenticated. All sessions must use the same untagged VLAN. Also, an authenticated client can use any tagged VLAN memberships statically configured on the port, provided the client is configured to use the tagged VLAN memberships available on the port. (Note that the session total includes any sessions begun by the Web Authentication or MAC Authentication features covered in chapter 3.) For more information, refer to â Option For Authenticator Ports: Configure Port-Security To Allow Only 802.1X-Authenticated Devicesâ on page 12-47.
802.1X Port-Based Access Control
802.1X port-based access control provides port-level security that allows LAN access only on ports where a single 802.1X-capable client (supplicant) has entered authorized RADIUS user credentials. For reasons outlined below, this option is recommended for applications where only one client at a time can connect to the port. Using this option, the port processes all traffic as if it comes from the same client. Thus, in a topology where multiple clients can connect to the same port at the same time:
â
If the first client authenticates and opens the port, and then another client authenticates, the port responds as if the original client has initiated a reauthentication. With multiple clients authenticating on the port, the RADIUS configuration response to the latest client authentication replaces any other configuration from an earlier client authentication. If all clients use the same configuration this should not be a problem. But if the RADIUS server responds with different configurations for different clients, then the last client authenticated will effectively lock out any previously authenticated client. When any client to authenticate closes its session, the port will also close and remain so until another client successfully authenticates.
â
The most recent client authentication determines the untagged VLAN membership for the port. Also, any client able to use the port can access any tagged VLAN memberships statically configured on the port, provided the client is configured to use the available, tagged VLAN memberships.
â
If the first client authenticates and opens the port, and then one or more other clients connect without trying to authenticate, then the port configuration as determined by the original RADIUS response remains unchanged and all such clients will have the same access as the authenticated client. When the authenticated client closes the session, the port will also be closed to any other, unauthenticated clients that may have also been using the port.
12This operation unblocks the port while an authenticated client session is in progress. In topologies where simultaneous, multiple client access is possible this can allow unauthorized and unauthenticated access by another client while an authenticated client is using the port. If you want to allow only authenticated clients on the port, then user-based access control (page 12-4) should be used instead of port-based access control. Using the user-based method enables you to specify up to eight authenticated clients.
cenk
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.
News and Events
Support
© Copyright 2024 Hewlett Packard Enterprise Development LP