76Configuring 802.1XThis chapter describes how to configure 802.1X on an HP device.HP implementation of 802.1XAccess control methodsHP implements port-based access control as defined in the 802.1X protocol, and extends the protocol tosupport MAC-based access control.• Port-based access control—Once an 802.1X user passes authentication on a port, any subsequentuser can access the network through the port without authentication. When the authenticated userlogs off, all other users are logged off.• MAC-based access control—Each user is separately authenticated on a port. When a user logs off,no other online users are affected.Using 802.1X authentication with other featuresVLAN assignmentYou can configure the authentication server to assign a VLAN for an 802.1X user that has passedauthentication. The way that the network access device handles VLANs on an 802.1X-enabled portdiffers by 802.1X access control mode.Access control VLAN manipulationPort-basedAssigns the VLAN to the port as the port VLAN (PVID). The authenticated 802.1X userand all subsequent 802.1X users can access the VLAN without authentication.When the user logs off, the previous PVID restores, and all other online users arelogged off.MAC-based• If the port is a hybrid port with MAC-based VLAN enabled, maps the MAC addressof each user to the VLAN assigned by the authentication server. The PVID of the portdoes not change. When a user logs off, the MAC-to-VLAN mapping for the user isremoved.• If the port is an access, trunk, or MAC-based VLAN disabled hybrid port, assignsthe first authenticated user's VLAN to the port as the PVID. If a different VLAN isassigned for a subsequent user, the user cannot pass the authentication.With 802.1X authentication, a hybrid port is always assigned to a VLAN as an untagged member. Afterthe assignment, do not re-configure the port as a tagged member in the VLAN.On a periodic online user re-authentication enabled port, if a user has been online before you enable theMAC-based VLAN function, the access device does not create a MAC-to-VLAN mapping for the userunless the user passes re-authentication and the VLAN for the user has changed.For more information about VLAN configuration and MAC-based VLAN, see Layer 2—LAN SwitchingConfiguration Guide.
