KB.15.15

ManualsBrandsHP ManualsNetwork HardwareHP 5406R-8XGT/8SFP+ (No PSU) v2 zl2 Switch

341

342

343

344

345

346

347

348

349

350

Table 35 802.1X Open VLAN mode options (continued)

Port response802.1X per-port

configuration

should include only what a client needs to enable an authentication session. If the port

is statically configured as an untagged member of another VLAN, the switch temporarily

Unauthorized-Client VLAN

configured:

removes the port from membership in this other VLAN while membership in the

Unauthorized-Client VLAN exists.

• After the client is authenticated, and if the port is statically configured as an untagged

member of another VLAN, the port's access to this other VLAN is restored.

If RADIUS authentication assigns the port to a VLAN, this assignment overrides any

statically configured, untagged VLAN membership on the port while the client is

connected.

• If the port is statically configured as a tagged member of a VLAN, the port returns to

tagged membership in this VLAN upon successful client authentication. This happens

even if the RADIUS server assigns the port to another, authorized VLAN. Note that if

the port is already configured as a tagged member of a VLAN that RADIUS assigns as

an authorized VLAN, then the port becomes an untagged member of that VLAN for the

duration of the client connection.

Note for a port configured to allow multiple client sessions: If any

previously authenticated clients are using a port assigned to a VLAN other than the

Unauthorized-Client VLAN (such as a RADIUS-assigned VLAN), then a later client that is

not running 802.1X supplicant software is blocked on the port until all other, authenticated

clients on the port have disconnected.

Open VLAN mode with

Only an Authorized-Client

VLAN configured:

• Port automatically blocks a client that cannot initiate an authentication session.

• If the client successfully completes an authentication session, the port becomes an

untagged member of this VLAN.

• If the port is statically configured as a tagged member of any other VLAN, the port

returns to tagged membership in this VLAN upon successful client authentication. This

happens even if the RADIUS server assigns the port to another, authorized VLAN. If the

port is already configured as a tagged member of a VLAN that RADIUS assigns as an

authorized VLAN, then the port becomes an untagged member of that VLAN for the

duration of the client connection.

Anauthorized-client VLAN configuration can be overridden by a RADIUS authentication

that assigns a VLAN.

Operating rules for Authorized-Client and Unauthorized-Client VLANs

RuleCondition

These must be configured on the switch before you configure an 802.1X

authenticator port to use them. Use the vlan < vlan-id > command

or the VLAN Menu screen in the Menu interface.

Static VLANs used as Authorized-Client or

Unauthorized-Client VLANs

If the RADIUS server specifies a VLAN for an authenticated supplicant

connected to an 802.1X authenticator port, this VLAN assignment

VLAN assignment received from a RADIUS

server

overrides any Authorized-Client VLAN assignment configured on the

authenticator port. This is because membership in both VLANs is

untagged, and the switch allows only one untagged, port-based VLAN

membership per-port.

For example, suppose you configured port A4 to place authenticated

supplicants in VLAN 20. If a RADIUS server authenticates supplicant

"A" and assigns this supplicant to VLAN 50, then the port can access

VLAN 50 as an untagged member while the client session is running.

When the client disconnects from the port the port drops these

assignments and uses the untagged VLAN memberships for which it is

statically configured. After client authentication, the port resumes any

tagged VLAN memberships for which it is already configured.

Overview 345