KB.15.15

ManualsBrandsHP ManualsNetwork HardwareHP 5406R-8XGT/8SFP+ (No PSU) v2 zl2 Switch

341

342

343

344

345

346

347

348

349

350

MeaningStatus indicator

No unauthorized VLAN has been configured for the indicated port.

< vlan-id >Authorized VLAN ID

Lists the VID of the static VLAN configured as the authorized VLAN for the

indicated port.

No authorized VLAN has been configured for the indicated port.

Output for determining Open VLAN mode status Figure 251 (page 348).

MeaningStatus indicator

ClosedStatus

Either no client is connected or the connected client has not received authorization

through 802.1X authentication.

Open

An authorized 802.1X supplicant is connected to the port.

< vlan-id >Current VLAN ID

Lists the VID of the static, untagged VLAN to which the port currently belongs.

No PVID

The port is not an untagged member of any VLAN.

See “RADIUS Authentication, Authorization, and Accounting” (page 141).Current Port CoS

% Curr. Rate Limit Inbound

802.1X Open VLAN operating notes

• Although you can configure Open VLAN mode to use the same VLAN for both the

Unauthorized-Client VLAN and the Authorized-Client VLAN, this is not recommended. Doing

so allows unauthenticated clients access to a VLAN intended only for authenticated clients,

which poses a security breach.

• While an Unauthorized-Client VLAN is in use on a port, the switch temporarily removes the

port from any other statically configured VLAN for which that port is configured as a member.

Note that the Menu interface will still display the port's statically configured VLANs.

• A VLAN used as the Unauthorized-Client VLAN should not allow access to resources that must

be protected from unauthenticated clients.

• If a port is configured as a tagged member of VLAN "X", then the port returns to tagged

membership in VLAN "X" upon successful client authentication. This happens even if the

RADIUS server assigns the port to another, authorized VLAN "Y". Note: If RADIUS assigns

VLAN "X" as an authorized VLAN, then the port becomes an untagged member of VLAN "X"

for the duration of the client connection. If there is no Authorized-Client or RADIUS-assigned

VLAN, then an authenticated client without tagged VLAN capability can access only a statically

configured, untagged VLAN on that port.

• When a client's authentication attempt on an Unauthorized-Client VLAN fails, the port remains

a member of the Unauthorized-Client VLAN until the client disconnects from the port.

• During an authentication session on a port in 802.1X Open VLAN mode, if RADIUS specifies

membership in an untagged VLAN, this assignment overrides port membership in the

Authorized-Client VLAN. If there is no Authorized-Client VLAN configured the RADIUS

assignment overrides any untagged VLAN for which the port is statically configured.

Overview 349