KB.15.15

ManualsBrandsHP ManualsNetwork HardwareHP 5406R-8XGT/8SFP+ (No PSU) v2 zl2 Switch

341

342

343

344

345

346

347

348

349

350

Unauthenticated (guest) VLAN access

When a PC is connected through an IP phone to a switch port that has been authorized using

802.1X or Web/MAC authentication, the IP phone is authenticated using client-based 802.1X or

Web/MAC authentication and has access to secure, tagged VLANs on the port. If the PC is

unauthenticated, it needs to have access to the insecure guest VLAN (unauthenticated VLAN) that

has been configured for 802.1X or Web/MAC authentication. 802.1X and Web/MAC

authentication normally do not allow authenticated clients (the phone) and unauthenticated clients

(the PC) on the same port.

Mixed port access mode allows 802.1X and Web/MAC authenticated and unauthenticated clients

on the same port when the guest VLAN is the same as the port's current untagged authenticated

VLAN for authenticated clients, or when none of the authenticated clients are authorized on the

untagged authenticated VLAN. Instead of having just one client per port, multiple clients can use

the guest VLAN.

Authenticated clients always have precedence over unauthenticated clients if access to a client's

untagged VLAN requires removal of a guest VLAN from the port. If an authenticated client becomes

authorized on its untagged VLAN as the result of initial authentication or because of an untagged

packet from the client, then all 802.1X or Web/MAC authenticated guests are removed from the

port and the port becomes an untagged member of the client's untagged VLAN.

Characteristics of mixed port access mode

• The port keeps tagged VLAN assignments continuously.

• The port sends broadcast traffic from the VLANs even when there are only guests authorized

on the port.

• Guests cannot be authorized on any tagged VLANs.

• Guests can use the same bandwidth, rate limits and QoS settings that may be assigned for

authenticated clients on the port (via RADIUS attributes).

• When no authenticated clients are authorized on the untagged authenticated VLAN, the port

becomes an untagged member of the guest VLAN for as long as no untagged packets are

received from any authenticated clients on the port.

• New guest authorizations are not allowed on the port if at least one authenticated client is

authorized on its untagged VLAN and the guest VLAN is not the same as the authenticated

client's untagged VLAN.

NOTE: If you disable mixed port access mode, this does not automatically remove guests that

have already been authorized on a port where an authenticated client exists. New guests are not

allowed after the change, but the existing authorized guests will still be authorized on the port until

they are removed by a new authentication, an untagged authorization, a port state change, and

so on.

802.1X Open VLAN mode

This section describes using the 802.1X Open VLAN mode to provide a path for clients that need

to acquire 802.1X supplicant software before proceeding with the authentication process. The

Open VLAN mode involves options for configuring unauthorized-client and authorized-client VLANs

on ports configured as 802.1X authenticators.

Configuring the 802.1X Open VLAN mode on a port changes how the port responds when it

detects a new client. In earlier releases, a "friendly" client computer not running 802.1X supplicant

software could not be authenticated on a port protected by 802.1X access security. As a result,

the port would become blocked and the client could not access the network. This prevented the

client from:

• Acquiring IP addressing from a DHCP server

• Downloading the 802.1X supplicant software necessary for an authentication session

342 IPv4 Access Control Lists (ACLs)