KB.15.15

ManualsBrandsHP ManualsNetwork HardwareHP 5406R-8XGT/8SFP+ (No PSU) v2 zl2 Switch

341

342

343

344

345

346

347

348

349

350

RuleCondition

disconnects from the port. (If there is no Unauthorized-Client VLAN

configured on the authenticator port, the port simply blocks access for

any unauthorized client.)

The port joins the RADIUS-assigned VLAN as an untagged member.Effect of RADIUS-assigned VLAN

This rule assumes no other authenticated clients

are already using the port on a different VLAN.

A client can either acquire an IP address from a DHCP server or use

a manually configured IP address before connecting to the switch.

IP addressing for a client connected to a port

configured for 802.x Open VLAN mode

A friendly client, without 802.1X supplicant software, connecting to

an authenticator port must be able to download this software from the

Unauthorized-Client VLAN before authentication can begin.

802.1X supplicant software for a client

connected to a port configured for 802.1X

Open VLAN mode

When a new client is authenticated on a given port:Switch with a port configured to allow multiple

Authorized-Client sessions

• If no other clients are authenticated on that port, then the port joins

one VLAN in the following order of precedence:

1. A RADIUS-assigned VLAN, if configured.

2. An Authenticated-Client VLAN, if configured.

3. A static, port-based VLAN to which the port belongs as an

untagged member.

4. Any VLAN(s) to which the port is configured as a tagged

member (provided that the client can operate in that VLAN).

• If another client is already authenticated on the port, then the port

is already assigned to a VLAN for the previously-existing client

session, and the new client must operate in this same VLAN,

regardless of other factors. This means that a client without 802.1X

client authentication software cannot access a configured,

Unauthenticated-Client VLAN if another, authenticated client is

already using the port.

You can optionally enable switches to allow up to 32 clients per-port.

The Unauthorized-Client VLAN feature can operate on an

Note: Limitation on using an

Unauthorized-Client VLAN on an 802.1X port

configured to allow multiple-client access 802.1X-configured port regardless of how many clients the port is

configured to support. However, all clients on the same port must

operate through the same untagged VLAN membership. This means

that any client accessing a given port must be able to authenticate and

operate on the same VLAN as any other previously authenticated clients

that are currently using the port.

Thus, an Unauthorized-Client VLAN configured on a switch port that

allows multiple 802.1X clients cannot be used if there is already an

authenticated client using the port on another VLAN. Also, a client

using the Unauthenticated-Client VLAN will be blocked when another

client becomes authenticated on the port. For this reason, the best

utilization of the Unauthorized-Client VLAN feature is in instances where

only one client is allowed per-port. Otherwise, unauthenticated clients

are subject to being blocked at any time by authenticated clients using

a different VLAN. Note: Using the same VLAN for authenticated and

unauthenticated clients can create a security risk and is not

recommended.

NOTE: If you use the same VLAN as the Unauthorized-Client VLAN for all authenticator ports,

unauthenticated clients on different ports can communicate with each other.

Displaying 802.1X Open VLAN mode status

Examine the switch current VLAN status by using the show port-access authenticator

vlan and show port-access authenticator < port-list > commands. The figure

on page shows related VLAN data that can help you to see how the switch is using statically

configured VLANs to support 802.1X operation.

Overview 347