KB.15.15

ManualsBrandsHP ManualsNetwork HardwareHP 5406R-8XGT/8SFP+ (No PSU) v2 zl2 Switch

101

102

103

104

105

106

107

108

109

110

The switch passes the supplied username and password to the RADIUS server for authentication

and displays the following progress message:

Figure 64 Progress message during authentication

If the client is authenticated and the maximum number of clients allowed on the port

(client-limit) has not been reached, the port is assigned to a static, untagged VLAN for

network access. After a successful login, a client can be redirected to a URL if you specify a URL

value (redirect-url) when you configure web-based authentication.

Figure 65 Authentication completed

Order of priority for assigning VLANS

The assigned VLAN is determined, in order of priority, as follows:

1. If there is a RADIUS-assigned VLAN, then, for the duration of the client session, the port belongs

to this VLAN and temporarily drops all other VLAN memberships.

2. If there is no RADIUS-assigned VLAN, then, for the duration of the client session, the port

belongs to the authorized VLAN (auth-vid if configured) and temporarily drops all other

VLAN memberships.

3. If neither 1 or 2, above, apply, but the port is an untagged member of a statically configured,

port-based VLAN, then the port remains in this VLAN.

4. If neither 1, 2, or 3, above, apply, then the client session does not have access to any statically

configured, untagged VLANs and client access is blocked.

The assigned port VLAN remains in place until the session ends. Clients can be forced to

reauthenticate after a fixed period of time (reauth-period) or at any time during a session

(reauthenticate). An implicit logoff period can be set if there is no activity from the client after

a given amount of time (logoff-period). In addition, a session ends if the link on the port is

lost, requiring reauthentication of all clients. Also, if a client moves from one port to another and

client moves have not been enabled (-client-moves) on the ports, the session ends and the

client must reauthenticate for network access. At the end of the session the port returns to its

pre-authentication state. Any changes to the port's VLAN memberships made while it is an authorized

port take affect at the end of the session.

A client can not be authenticated due to invalid credentials or a RADIUS server timeout. The

max-retries parameter specifies how many times a client can enter their credentials before

authentication fails. The server-timeoutparameter sets how long the switch waits to receive

a response from the RADIUS server before timing out. The max-requests parameter specifies

how many authentication attempts can result in a RADIUS server timeout before authentication

fails. The switch waits a specified amount of time (quiet-period) before processing any new

authentication requests from the client.

Network administrators can assign unauthenticated clients to a specific static, untagged VLAN

(unauth-vid), to provide access to specific (guest) network resources. If no VLAN is assigned to

unauthenticated clients the port is blocked and no network access is available. Should another

client successfully authenticate through that port any unauthenticated clients on the unauth-vid

are dropped from the port.

Overview 101