KB.15.15

ManualsBrandsHP ManualsNetwork HardwareHP 5406R-8XGT/8SFP+ (No PSU) v2 zl2 Switch

351

352

353

354

355

356

357

358

359

360

Operating notes

• During client authentication, a port assigned to a VLAN by a RADIUS server or an

authorized-client VLAN configuration is an untagged member of the VLAN for the duration of

the authenticated session. This applies even if the port is also configured in the switch as a

tagged member of the same VLAN. The following restrictions apply:

• If the port is assigned as a member of an untagged static VLAN, the VLAN must already

be configured on the switch. If the static VLAN configuration does not exist, the

authentication fails.

• If the port is assigned as a member of an untagged dynamic VLAN that was learned

through GVRP, the dynamic VLAN configuration must exist on the switch at the time of

authentication and GVRP-learned dynamic VLANs for port-access authentication must be

enabled.

If the dynamic VLAN does not exist or if you have not enabled the use of a dynamic VLAN

for authentication sessions on the switch, the authentication fails.

• To enable the use of a GVRP-learned (dynamic) VLAN as the untagged VLAN used in an

authentication session, enter the aaa port-access gvrp-vlans command, as described

in .

• Enabling the use of dynamic VLANs in an authentication session offers the following benefits:

You avoid the need of having static VLANs pre-configured on the switch.•

• You can centralize the administration of user accounts (including user VLAN IDs) on a

RADIUS server.

For information on how to enable the switch to dynamically create 802.1Q-compliant VLANs

on links to other devices using the GARP VLAN Registration Protocol (GVRP), see "GVRP" in

the Advanced Traffic Management Guide for your switch.

• For an authentication session to proceed, a port must be an untagged member of the (static

or dynamic) VLAN assigned by the RADIUS server (or an authorized-client VLAN configuration).

The port temporarily drops any current untagged VLAN membership.

If the port is not already a member of the RADIUS-assigned (static or dynamic) untagged

VLAN, the switch temporarily reassigns the port as an untagged member of the required VLAN

for the duration of the session. At the same time, if the port is already configured as an

untagged member of a different VLAN, the port loses access to the other VLAN for the duration

of the session. A port can be an untagged member of only one VLAN at a time.

When the authentication session ends, the switch removes the temporary untagged VLAN

assignment and re-activates the temporarily disabled, untagged VLAN assignment.

• If GVRP is already enabled on the switch, the temporary untagged (static or dynamic) VLAN

created on the port for the authentication session is advertised as an existing VLAN.

If this temporary VLAN assignment causes the switch to disable a different untagged static or

dynamic VLAN configured on the port, as described in the preceding bullet and in “Example

of untagged VLAN assignment in a RADIUS-based authentication session” (page 354), the

disabled VLAN assignment is not advertised. When the authentication session ends, the switch:

• Removes the temporary untagged VLAN assignment and stops advertising it.

• Re-activates and resumes advertising the temporarily disabled, untagged VLAN assignment.

• If you modify a VLAN ID configuration on a port during an 802.1X, MAC, or Web

authentication session, the changes do not take effect until the session ends.

• When a switch port is configured with RADIUS-based authentication to accept multiple 802.1X

and/or MAC or Web authentication client sessions, all authenticated clients must use the same

352 IPv4 Access Control Lists (ACLs)