KB.15.15

ManualsBrandsHP ManualsNetwork HardwareHP 5406R-8XGT/8SFP+ (No PSU) v2 zl2 Switch

491

492

493

494

495

496

497

498

499

500

Operating Rules for Authorized-Client and Unauthorized-Client VLANs

Table 55 Condition for authorized client and unauthorized client VLANs

RuleCondition

These must be configured on the switch before you

configure an 802.1X authenticator port to use them. (Use

Static VLANs used as Authorized- Client or

Unauthorized-Client VLANs

the vlan < vlan-id > command or the VLAN Menu screen

in the Menu interface.)

If the RADIUS server specifies a VLAN for an authenticated

supplicant connected to an 802.1X authenticator port, this

VLAN Assignment Received from a RADIUS Server

VLAN assignment overrides any Authorized-Client VLAN

assignment configured on the authenticator port. This is

because membership in both VLANs is untagged, and the

switch allows only one untagged, port-based VLAN

membership per-port. For example, suppose you configured

port A4 to place authenticated supplicants in VLAN 20. If

a RADIUS server authenticates supplicant “A” and assigns

this supplicant to VLAN 50, then the port can access VLAN

50 as an untagged member while the client session is

running. When the client disconnects from the port, then

the port drops these assignments and uses the untagged

VLAN memberships for which it is statically configured.

(After client authentication, the port resumes any tagged

VLAN memberships for which it is already configured.

Temporary VLAN Membership During a Client Session.

Port membership in a VLAN assigned to operate as the

Unauthorized-Client VLAN is temporary, and ends when

Temporary VLAN Membership During a Client Session

the client receives authentication or the client disconnects

from the port, whichever is first. In the case of the multiple

clients allowed on switches covered in this guide, the first

client to authenticate determines the untagged VLAN

membership for the port until all clients have disconnected.

Any other clients that cannot operate in that VLAN are

blocked at that point. • Port membership in a VLAN

assigned to operate as the Authorized- Client VLAN ends

when the client disconnects from the port. If a VLAN

assignment from a RADIUS server is used instead, the same

rule applies. In the case of the multiple clients allowed on

switches, the port maintains the same VLAN as long as

there is any authenticated client using the VLAN. When

the last client disconnects, then the port reverts to only the

VLAN(s) for which it is statically configured as a member.

When an unauthenticated client connects to a port that is

already configured with a static, untagged VLAN, the

Effect of Unauthorized-Client VLAN session on untagged

port VLAN membership

switch temporarily moves the port to the Unauthorized-Client

VLAN (also untagged). (While the Unauthorized-Client

VLAN is in use, the port does not access any other VLANs.)

If the client disconnects, the port leaves the

Unauthorized-Client VLAN and re-acquires membership in

all the statically configured VLANs to which it belongs.

If the client becomes authenticated, the port leaves the

Unauthenticated-Client VLAN and joins the appropriate

VLAN. See “VLAN Membership Priorities” (page 481).

In the case of the multiple clients allowed on switches, if

an authenticated client is already using the port for a

different VLAN, then any other unauthenticated clients

needing to use the Unauthorized-Client VLAN are blocked.

When a client becomes authenticated on a port that is

already configured with a static, untagged VLAN, the

Effect of Authorized-Client VLAN session on untagged port

VLAN membership.

switch temporarily moves the port to the Authorized-Client

Overview 491