KB.15.15

ManualsBrandsHP ManualsNetwork HardwareHP 5406R-8XGT/8SFP+ (No PSU) v2 zl2 Switch

341

342

343

344

345

346

347

348

349

350

configured, it will always be untagged and will block the port from using a statically configured,

untagged membership in another VLAN. After client authentication, the port returns to

membership in any tagged VLANs for which it is configured.

Table 35 802.1X Open VLAN mode options

Port response802.1X per-port

configuration

The port automatically blocks a client that cannot initiate an authentication session.No Open VLAN mode:

Open VLAN mode with both of the following configured:

Unauthorized-Client VLAN

• When the port detects a client without 802.1X supplicant capability, it automatically

becomes an untagged member of this VLAN. If you previously configured the port as a

static, tagged member of the VLAN, membership temporarily changes to untagged while

the client remains unauthenticated.

• If the port already has a statically configured, untagged membership in another VLAN,

then the port temporarily closes access to this other VLAN while in the Unauthorized-Client

VLAN.

• To limit security risks, the network services and access available on the

Unauthorized-Client VLAN should include only what a client needs to enable an

authentication session. If the port is statically configured as a tagged member of any

other VLANs, access to these VLANs is blocked while the port is a member of the

Unauthorized-Client VLAN.

Note for a Port Configured To Allow Multiple Client Sessions: If any

previously authenticated clients are using a port assigned to a VLAN other than the

Unauthorized-Client VLAN, then a later client that is not running 802.1X supplicant software

is blocked on the port until all other, authenticated clients on the port have disconnected.

Authorized-Client VLAN

• After client authentication, the port drops membership in the Unauthorized-Client VLAN

and becomes an untagged member of this VLAN.

If the client is running an 802.1X supplicant application when the authentication session

begins, and is able to authenticate itself before the switch assigns the port to the

Unauthorized-Client VLAN, then the port does not become a member of the

Unauthorized-Client VLAN. On HP switches, you can use the unauth-period command

to delay moving the port into the Unauthorized-Client VLAN.

If RADIUS authentication assigns a VLAN and there are no other authenticated clients

on the port, the port becomes a member of the RADIUS-assigned VLAN (instead of the

Authorized-Client VLAN) while the client is connected.

• If the port is statically configured as a tagged member of a VLAN, and this VLAN is

used as the Authorized-Client VLAN, then the port temporarily becomes an untagged

member of this VLAN when the client becomes authenticated.

• If the port is statically configured as a tagged member of a VLAN, the port returns

totagged membership in this VLAN upon successful authentication. This happens even

if the RADIUS server assigns the port to another, authorized VLAN. If the port is already

configured as a tagged member of a VLAN that RADIUS assigns as an authorized VLAN,

then the port becomes an untagged member of that VLAN for the duration of the client

connection.

Open VLAN mode with

Only an

• When the port detects a client, it automatically becomes an untagged member of this

VLAN. To limit security risks, the network services and access available on this VLAN

344 IPv4 Access Control Lists (ACLs)