KB.15.15

ManualsBrandsHP ManualsNetwork HardwareHP 5406R-8XGT/8SFP+ (No PSU) v2 zl2 Switch

351

352

353

354

355

356

357

358

359

360

Thus, if the supplicant's link to the authenticator fails, the supplicant retains the transaction statistics

it most recently received until one of the above events occurs. If moving a link with an authenticator

from one supplicant port to another without clearing the statistics data from the first port, the

authenticator's MAC address will appear in the supplicant statistics for both ports.

How RADIUS/802.1X authentication affects VLAN operation

Static VLAN requirement

RADIUS authentication for an 802.1X client on a given port can include a (static) VLAN requirement.

For more details see the documentation provided with your RADIUS application. The static VLAN

to which a RADIUS server assigns a client must already exist on the switch. If it does not exist or

is a dynamic VLAN created by GVRP, authentication fails. Also, for the session to proceed, the

port must be an untagged member of the required VLAN. If it is not, the switch temporarily reassigns

the port as described below.

If port used by client is not configured as untagged member of required static VLAN

When a client is authenticated on port "N", if port "N" is not already configured as an untagged

member of the static VLAN specified by the RADIUS server, then the switch temporarily assigns

port "N" as an untagged member of the required VLAN for the duration of the 802.1X session.

At the same time, if port "N" is already configured as an untagged member of another VLAN,

port "N" loses access to that other VLAN for the duration of the session. This is because a port can

be an untagged member of only one VLAN at a time.

Using a RADIUS server to authenticate clients, you can provide port-level security protection from

unauthorized network access for the following authentication methods:

• 802.1X: Port-based or client-based access control to open a port for client access after

authenticating valid user credentials.

• MAC address: Authenticates a device's MAC address to grant access to the network.

• WebAgent: Authenticates clients for network access using a web page for user login.

NOTE: You can use 802.1X (port-based or client-based) authentication and either Web or MAC

authentication at the same time on a port, with a maximum of 32 clients allowed on the port. The

default is one client.

Web authentication and MAC authentication are mutually exclusive on the same port. Also, you

must disable LACP on ports configured for any of these authentication methods. For more

information, see “Web-based and MAC authentication” (page 72).

VLAN assignment on a port

Following client authentication, VLAN configurations on a port are managed as follows when you

use 802.1X, MAC, or Web authentication:

• The port resumes membership in any tagged VLANs for which it is already assigned in the

switch configuration. Tagged VLAN membership allows a port to be a member of multiple

VLANs simultaneously.

• The port is temporarily assigned as a member of an untagged (static or dynamic) VLAN for

use during the client session according to the following order of options.

1. The port joins the VLAN to which it has been assigned by a RADIUS server during client

authentication.

2. If RADIUS authentication does not include assigning the port to a VLAN, then the switch

assigns the port to the authorized-client VLAN configured for the authentication method.

3. If the port does not have an authorized-client VLAN configured, but is configured for

membership in an untagged VLAN, the switch assigns the port to this untagged VLAN.

Overview 351