KB.15.15

ManualsBrandsHP ManualsNetwork HardwareHP 5406R-8XGT/8SFP+ (No PSU) v2 zl2 Switch

341

342

343

344

345

346

347

348

349

350

RuleCondition

Temporary VLAN membership during a client

session

• Port membership in a VLAN assigned to operate as the

Unauthorized-Client VLAN is temporary, and ends when the client

receives authentication or the client disconnects from the port,

whichever is first. In the case of the multiple clients allowed on

switches covered in this guide, the first client to authenticate

determines the untagged VLAN membership for the port until all

clients have disconnected. Any other clients that cannot operate in

that VLAN are blocked at that point.

• Port membership in a VLAN assigned to operate as the

Authorized-Client VLAN ends when the client disconnects from the

port. If a VLAN assignment from a RADIUS server is used instead,

the same rule applies. In the case of the multiple clients allowed on

switches, the port maintains the same VLAN as long as there is any

authenticated client using the VLAN. When the last client

disconnects, then the port reverts to only the VLANs for which it is

statically configured as a member.

Effect of Unauthorized-Client VLAN session on

untagged port VLAN membership

• When an unauthenticated client connects to a port that is already

configured with a static, untagged VLAN, the switch temporarily

moves the port to the Unauthorized-Client VLAN (also untagged).

While the Unauthorized-Client VLAN is in use, the port does not

access any other VLANs.

• If the client disconnects, the port leaves the Unauthorized-Client

VLAN and re-acquires membership in all the statically configured

VLANs to which it belongs.

• If the client becomes authenticated, the port leaves the

Unauthenticated-Client VLAN and joins the appropriate VLAN. See

“VLAN membership priorities” (page 343).

• In the case of the multiple clients allowed on switches, if an

authenticated client is already using the port for a different VLAN,

then any other unauthenticated clients needing to use the

Unauthorized-Client VLAN are blocked.

Effect of Authorized-Client VLAN session on

untagged port VLAN membership.

• When a client becomes authenticated on a port that is already

configured with a static, untagged VLAN, the switch temporarily

moves the port to the Authorized-Client VLAN (also untagged).

While the Authorized-Client VLAN is in use, the port does not have

access to the statically configured, untagged VLAN.

• When the authenticated client disconnects, the switch removes the

port from the Authorized-Client VLAN and moves it back to the

untagged membership in the statically configured VLAN. After client

authentication, the port resumes any tagged VLAN memberships

for which it is already configured.

NOTE: This rule assumes:

• No alternate VLAN has been assigned by a RADIUS server.

• No other authenticated clients are already using the port.

You can use the same static VLAN as the Unauthorized-Client VLAN

for all 802.1X authenticator ports configured on the switch. Similarly,

Multiple Authenticator ports using the same

Unauthorized-Client and Authorized-Client

VLANs you can use the same static VLAN as the Authorized-Client VLAN for

all 802.1X authenticator ports configured on the switch.

CAUTION: Do not use the same static VLAN for both the

unauthorized-client VLAN and the authorized-client VLAN. Using one

VLAN for both creates a security risk by defeating the isolation of

unauthenticated clients.

When there is an Unauthorized-Client VLAN configured on an 802.1X

authenticator port, an unauthorized client connected to the port has

Effect of failed Client Authentication attempt

This rule assumes no other authenticated clients

are already using the port on a different VLAN.

access only to the network resources belonging to the

Unauthorized-Client VLAN. This access continues until the client

346 IPv4 Access Control Lists (ACLs)