KB.15.15

ManualsBrandsHP ManualsNetwork HardwareHP 5406R-8XGT/8SFP+ (No PSU) v2 zl2 Switch

481

482

483

484

485

486

487

488

489

490

NOTE: On ports configured to allow multiple sessions using 802.1X user-based access control,

all clients must use the same untagged VLAN (unless MAC-based VLANs are enabled. See

“MAC-based VLANs” (page 197)). On a given port where there are no currently active, authenticated

clients, the first authenticated client determines the untagged VLAN in which the port will operate

for all subsequent, overlapping client sessions.

If the switch operates in an environment where some valid clients will not be running 802.1X

supplicant software and need to download it from your network. Then, because such clients would

need to use the Unauthorized- Client VLAN and authenticated clients would be using a different

VLAN (for security reasons), allowing multiple clients on an 802.1X port can result in blocking

some or all clients needing to use the Unauthorized-Client VLAN.

On ports configured for port-based 802.1X access control, if multiple clients try to authenticate on

the same port, the most recently authenticated client determines the untagged VLAN membership

for that port. Clients that connect without trying to authenticate will have access to the untagged

VLAN membership that is currently assigned to the port.

VLAN Membership Priorities

Following client authentication, an 802.1X port resumes membership in any tagged VLANs for

which it is already assigned in the switch configuration. The port also becomes an untagged

member of one VLAN according to the following order of options:

• 1st Priority: The port joins a VLAN to which it has been assigned by a RADIUS server during

client authentication.

• 2nd Priority: If RADIUS authentication does not include assigning the port to a VLAN, then the

switch assigns the port to the VLAN entered in the port’s 802.1X configuration as an

Authorized-Client VLAN, if configured.

• 3rd Priority: If the port does not have an Authorized-Client VLAN configured, but does have

a static, untagged VLAN membership in its configuration, then the switch assigns the port to

this VLAN.

A port assigned to a VLAN by an Authorized-Client VLAN configuration (or a RADIUS server) will

be an untagged member of the VLAN for the duration of the authenticated session. This applies

even if the port is also configured in the switch as a tagged member of the same VLAN.

NOTE: After client authentication, the port resumes membership in any tagged VLANs for which

it is configured. If the port is a tagged member of a VLAN used for 1 or 2 listed above, then it also

operates as an untagged member of that VLAN while the client is connected. When the client

disconnects, the port reverts to tagged membership in the VLAN.

Use Models for 802.1X Open VLAN Modes

You can apply the 802.1X Open VLAN mode in more than one way. Depending on your use, you

will need to create one or two static VLANs on the switch for exclusive use by per-port 802.1X

Open VLAN mode authentication:

• Unauthorized-Client VLAN: Configure this VLAN when unauthenticated, friendly clients will

need access to some services before being authenticated or instead of being authenticated.

• Authorized-Client VLAN: Configure this VLAN for authenticated clients when the port is not

statically configured as an untagged member of a VLAN you want clients to use, or when the

port is statically configured as an untagged member of a VLAN you do not want clients to

use. (A port can be configured as untagged on only one port-based VLAN. When an

Authorized-Client VLAN is configured, it will always be untagged and will block the port from

using a statically configured, untagged membership in another VLAN.) Note that after client

authentication, the port returns to membership in any tagged VLANs for which it is configured.

See “NOTE” (page 487).

Overview 487