KB.15.15

ManualsBrandsHP ManualsNetwork HardwareHP 5406R-8XGT/8SFP+ (No PSU) v2 zl2 Switch

481

482

483

484

485

486

487

488

489

490

Table 54 802.1x per-port configuration (continued)

Port Response802.1X Per-Port Configuration

Open VLAN Mode with Only an Authorized-Client VLAN

Configured

Port automatically blocks a client that cannot initiate an

authentication session.

f the client successfully completes an authentication session,

the port becomes an untagged member of this VLAN.

If the port is statically configured as a tagged member of

any other VLAN, the port returns to tagged membership in

this VLAN upon successful client authentication. This

happens even if the RADIUS server assigns the port to

another, authorized VLAN. If the port is already configured

as a tagged member of a VLAN that RADIUS assigns as

an authorized VLAN, then the port becomes an untagged

member of that VLAN for the duration of the client

connection.

NOTE: An authorized-client VLAN configuration can be

overridden by a RADIUS authentication that assigns a

VLAN.

802.1X Open VLAN Operating Notes

• Although you can configure Open VLAN mode to use the same VLAN for both the

Unauthorized-Client VLAN and the Authorized-Client VLAN, this is not recommended. Using

the same VLAN for both purposes allows unauthenticated clients access to a VLAN intended

only for authenticated clients, which poses a security breach.

• While an Unauthorized-Client VLAN is in use on a port, the switch temporarily removes the

port from any other statically configured VLAN for which that port is configured as a member.

Note that the Menu interface will still display the port’s statically configured VLAN(s).

• A VLAN used as the Unauthorized-Client VLAN should not allow access to resources that must

be protected from unauthenticated clients.

• If a port is configured as a tagged member of VLAN “X”, then the port returns to tagged

membership in VLAN “X” upon successful client authentication. This happens even if the

RADIUS server assigns the port to another, authorized VLAN “Y”. Note that if RADIUS assigns

VLAN “X” as an authorized VLAN, then the port becomes an untagged member of VLAN “X”

for the duration of the client connection. (If there is no Authorized- Client or RADIUS-assigned

VLAN, then an authenticated client without tagged VLAN capability can access only a statically

configured, untagged VLAN on that port.)

• When a client’s authentication attempt on an Unauthorized-Client VLAN fails, the port remains

a member of the Unauthorized-Client VLAN until the client disconnects from the port.

• During an authentication session on a port in 802.1X Open VLAN mode, if RADIUS specifies

membership in an untagged VLAN, this assignment overrides port membership in the

Authorized-Client VLAN. If there is no Authorized-Client VLAN configured, then the RADIUS

assignment overrides any untagged VLAN for which the port is statically configured.

• If the only authenticated client on a port loses authentication during a session in 802.1X Open

VLAN mode, the port VLAN membership reverts back to the Unauthorized-Client VLAN. If

there is no Unauthorized-Client VLAN configured, then the client loses access to the port until

it can reauthenticate itself. If there are multiple clients authenticated on the port, if one client

loses access and attempts to re-authenticate, that client will be handled as a new client on the

port.

• The first client to authenticate on a port configured to support multiple clients will determine

the port’s VLAN membership for any subsequent clients that authenticate while an active

session is already in effect.

490 Port-Based and User-Based Access Control (802.1X)