KB.15.15

ManualsBrandsHP ManualsNetwork HardwareHP 5406R-8XGT/8SFP+ (No PSU) v2 zl2 Switch

341

342

343

344

345

346

347

348

349

350

The 802.1X Open VLAN mode solves this problem by temporarily suspending the port's static

VLAN memberships and placing the port in a designated Unauthorized-Client VLAN (sometimes

termed a guest VLAN). In this state the client can proceed with initialization services, such as

acquiring IP addressing and 802.1X client software, and starting the authentication process.

NOTE: On ports configured to allow multiple sessions using 802.1X user-based access control,

all clients must use the same untagged VLAN. On a given port where there are no currently active,

authenticated clients, the first authenticated client determines the untagged VLAN in which the port

will operate for all subsequent, overlapping client sessions.

If the switch operates in an environment where some valid clients will not be running 802.1X

supplicant software and need to download it from your network. Then, because such clients would

need to use the Unauthorized-Client VLAN and authenticated clients would be using a different

VLAN (for security reasons), allowing multiple clients on an 802.1X port can result in blocking

some or all clients needing to use the Unauthorized-Client VLAN.

On ports configured for port-based 802.1X access control, if multiple clients try to authenticate on

the same port, the most recently authenticated client determines the untagged VLAN membership

for that port. Clients that connect without trying to authenticate will have access to the untagged

VLAN membership that is currently assigned to the port.

VLAN membership priorities

Following client authentication, an 802.1X port resumes membership in any tagged VLANs for

which it is already assigned in the switch configuration. The port also becomes an untagged

member of one VLAN according to the following order of options:

1. 1st Priority: The port joins a VLAN to which it has been assigned by a RADIUS server during

client authentication.

2. 2nd Priority: If RADIUS authentication does not include assigning the port to a VLAN, then the

switch assigns the port to the VLAN entered in the port's 802.1X configuration as an

Authorized-Client VLAN, if configured.

3. 3rd Priority: If the port does not have an Authorized-Client VLAN configured, but does have

a static, untagged VLAN membership in its configuration, then the switch assigns the port to

this VLAN.

A port assigned to a VLAN by an Authorized-Client VLAN configuration (or a RADIUS server) will

be an untagged member of the VLAN for the duration of the authenticated session. This applies

even if the port is also configured in the switch as a tagged member of the same VLAN.

NOTE: After client authentication, the port resumes membership in any tagged VLANs for which

it is configured. If the port is a tagged member of a VLAN it also operates as an untagged member

of that VLAN while the client is connected. When the client disconnects, the port reverts to tagged

membership in the VLAN.

Use models for 802.1X Open VLAN modes

You can apply the 802.1X Open VLAN mode in more than one way. Depending on your use, you

will need to create one or two static VLANs on the switch for exclusive use by per-port 802.1X

Open VLAN mode authentication:

• Unauthorized-Client VLAN

Configure this VLAN when unauthenticated, friendly clients will need access to some services

before being authenticated or instead of being authenticated.

• Authorized-Client VLAN

Configure this VLAN for authenticated clients when the port is not statically configured as an

untagged member of a VLAN you want clients to use, or when the port is statically configured

as an untagged member of a VLAN you do not want clients to use. Note: A port can be

configured as untagged on only one port-based VLAN. When an Authorized-Client VLAN is

Overview 343