KB.15.15

ManualsBrandsHP ManualsNetwork HardwareHP 5406R-8XGT/8SFP+ (No PSU) v2 zl2 Switch

101

102

103

104

105

106

107

108

109

110

If your LAN does use multiple VLANs, then some of the following factors can apply to your

use of web-based authentication and MAC authentication.

• web-based authentication and MAC authentication operate only with port-based VLANs.

Operation with protocol VLANs is not supported, and clients do not have access to

protocol VLANs during web-based authentication and MAC authentication sessions.

• A port can belong to one, untagged VLAN during any client session. Where multiple

authenticated clients can simultaneously use the same port, they must all be capable of

operating on the same VLAN.

• During an authenticated client session, the following hierarchy determines a port's VLAN

membership:

1. If there is a RADIUS-assigned VLAN, then, for the duration of the client session, the

port belongs to this VLAN and temporarily drops all other VLAN memberships.

2. If there is no RADIUS-assigned VLAN, then, for the duration of the client session, the

port belongs to the authorized VLAN (if configured) and temporarily drops all other

VLAN memberships.

3. If neither 1 or 2, above, apply, but the port is an untagged member of a statically

configured, port-based VLAN, then the port remains in this VLAN.

4. If neither 1, 2, or 3, above, apply, then the client session does not have access to

any statically configured, untagged VLANs and client access is blocked.

• After an authorized client session begins on a given port, the port's VLAN membership

does not change. If other clients on the same port become authenticated with a different

VLAN assignment than the first client, the port blocks access to these other clients until

the first client session ends.

• The optional "authorized" VLAN (auth-vid) and "unauthorized" VLAN (unauth-vid)

you can configure for web-based or MAC authentication must be statically configured

VLANs on the switch. Also, if you configure one or both of these options, any services

you want clients in either category to access must be available on those VLANs.

• Where a given port's configuration includes an unauthorized client VLAN assignment, the

port will allow an unauthenticated client session only while there are no requests for an

authenticated client session on that port. In this case, if there is a successful request for

authentication from an authorized client, the switch terminates the unauthorized-client session

and begins the authorized-client session.

• When a port on the switch is configured for web-based or MAC authentication and is

supporting a current session with another device, rebooting the switch invokes a

re-authentication of the connection.

• When a port on the switch is configured as a web-based or MAC authenticator, it blocks

access to a client that does not provide the proper authentication credentials. If the port

configuration includes an optional, unauthorized VLAN (unauth-vid), the port is temporarily

placed in the unauthorized VLAN if there are no other authorized clients currently using the

port with a different VLAN assignment. If an authorized client is using the port with a different

VLAN or if there is no unauthorized VLAN configured, the unauthorized client does not receive

access to the network.

• web-based or MAC authentication and LACP cannot both be enabled on the same port.

Web-based/MAC authentication and LACP are not supported at the same time on a port.

The switch automatically disables LACP on ports configured for web or MAC authentication.

• Use the show port-access web-based commands to display session status, port-access

configuration settings, and statistics for web-based authentication sessions.

• When spanning tree is enabled on a switch that uses 802.1X, web-based authentication, or

MAC authentication, loops can go undetected. For example, spanning tree packets that are

Overview 103