KB.15.15

ManualsBrandsHP ManualsNetwork HardwareHP 5406R-8XGT/8SFP+ (No PSU) v2 zl2 Switch

481

482

483

484

485

486

487

488

489

490

Table 54 802.1x per-port configuration (continued)

Port Response802.1X Per-Port Configuration

• After client authentication, the port drops membership

in the Unauthorized-Client VLAN and becomes an

untagged member of this VLAN.

NOTE: If the client is running an 802.1X supplicant

application when the authentication session begins, and

is able to authenticate itself before the switch assigns

the port to the Unauthorized-Client VLAN, then the port

does not become a member of the Unauthorized-Client

VLAN. On the switches covered in this guide, you can

use the unauth-period command— page 13-23—to

delay moving the port into the Unauthorized-Client

VLAN.

If RADIUS authentication assigns a VLAN and there are

no other authenticated clients on the port, then the port

becomes a member of the RADIUS-assigned VLAN

—instead of the Authorized-Client VLAN—while the

client is connected.

◦ If the port is statically configured as a tagged

member of a VLAN, and this VLAN is used as the

Authorized-Client VLAN, then the port temporarily

becomes an untagged member of this VLAN when

the client becomes authenticated.If the port is

statically configured as a tagged member of a VLAN,

the port returns to tagged membership in this VLAN

upon.

Authorized-Client VLAN

Open VLAN Mode with Only an Unauthorized-Client VLAN

Configured:

• When the port detects a client, it automatically becomes

an untagged member of this VLAN. To limit security

risks, the network services and access available on this

VLAN should include only what a client needs to enable

an authentication session. If the port is statically

configured as an untagged member of another VLAN,

the switch temporarily removes the port from

membership in this other VLAN while membership in

the Unauthorized-Client VLAN exists.

• After the client is authenticated, and if the port is

statically configured as an untagged member of another

VLAN, the port’s access to this other VLAN is restored.

NOTE: If RADIUS authentication assigns the port to

a VLAN, this assignment overrides any statically

configured, untagged VLAN membership on the port

(while the client is connected).

• If the port is statically configured as a tagged member

of a VLAN, the port returns to tagged membership in

this VLAN upon successful client authentication. This

happens even if the RADIUS server assigns the port to

another, authorized VLAN. Note that if the port is

already configured as a tagged member of a VLAN

that RADIUS assigns as an authorized VLAN, then the

port becomes an untagged member of that VLAN for

the duration of the client connection.

NOTE: for a Port Configured To Allow Multiple Client

Sessions: If any previously authenticated clients are

using a port assigned to a VLAN other than the

Unauthorized-Client VLAN (such as a RADIUSassigned

VLAN), then a later client that is not running 802.1X

supplicant software is blocked on the port until all other,

authenticated clients on the port have disconnected.

Overview 489