KB.15.15

3. 3rd Priority: If the port does not have an Authorized-Client VLAN configured, but does have

a static, untagged VLAN membership in its configuration, then the switch assigns the port to

this VLAN.

A port assigned to a VLAN by an Authorized-Client VLAN configuration (or a RADIUS server) will

be an untagged member of the VLAN for the duration of the authenticated session. This applies

even if the port is also configured in the switch as a tagged member of the same VLAN.

NOTE: On HP switches, using the same port for both RADIUS-assigned clients and clients using

a configured, Authorized-Client VLAN is not recommended. Doing so can result in authenticated

clients with mutually exclusive VLAN priorities, meaning some authenticated clients can be denied

access to the port. See Figure 250 (page 340).

Figure 250 Priority of VLAN assignment for an authenticated client

General operating rules and notes

• In the user-based mode, when there is an authenticated client on a port, the following traffic

movement is allowed:

• Multicast and broadcast traffic

• Unicast traffic to authenticated clients

• All traffic from authenticated clients.

• When a port on the switch is configured as either an authenticator or supplicant and is

connected to another device, rebooting the switch causes a re-authentication of the link.

• Using user-based 802.1X authentication, when a port on the switch is configured as an

authenticator the port allows only authenticated clients up to the currently configured client

limit.

For clients without proper 802.1X supplicant software, the optional 802.1X Open VLAN mode

can be used to open a path for downloading 802.1X supplicant software to a client or to

provide other services for unauthenticated clients. See “802.1X Open VLAN mode” (page 342).

340 IPv4 Access Control Lists (ACLs)