Figure 18 Multiple, dual-stack clients authenticating through a single port
In this case, the RADIUS server must be configured to assign an ACL to port B1 for any authorized
clients authenticating on the port.
802.1X user-based and port-based applications
User-Based 802.1X access control allows up to 32 individually authenticated clients on a given
port. Port-Based access control does not set a client limit and requires only one authenticated client
to open a given port (and is recommended for applications where only one client at a time can
connect to the port).
•
If you configure 802.1X user-based security on a port and the RADIUS response includes a
RADIUS-assigned ACL for at least one authenticated client, the RADIUS response for all other
clients authenticated on the ports must also include a RADIUS-assigned ACL. Inbound IP traffic
on the port from a client that authenticates without receiving a RADIUS-assigned ACL is dropped
and the client de-authenticated.
•
Using 802.1X port-based security on a port where the RADIUS response to a client
authenticating includes a RADIUS-assigned ACL, different results can occur, depending on
whether any additional clients attempt to use the port and whether these other clients initiate
an authentication attempt. This option is recommended for applications where only one client
at a time can connect to the port, and not recommended for instances where multiple clients
may access the same port at the same time. For more information, see "Configuring Port-Based
Access" in the "Port-Based and User-Based Access Control (802.1X)"chapter in the latest HP
Switch Software Access Security Guide for your switch.
Considerations
•
On any port or static trunk you can apply one ACL to inbound traffic.
•
Any ACL can have multiple entries (ACEs).
•
You can apply any single ACL to multiple ports and trunks.
•
A source or destination IP address and a mask, together, can define a single host, a range
of hosts, or all hosts.
•
Before changing the content of an ACL assigned to one or more ports or trunks, first remove
the ACL from those ports or trunks.
IPv6 ACLs
61