KB.15.15

ManualsBrandsHP ManualsNetwork HardwareHP 5406R-8XGT/8SFP+ (No PSU) v2 zl2 Switch

491

492

493

494

495

496

497

498

499

500

Table 55 Condition for authorized client and unauthorized client VLANs (continued)

RuleCondition

VLAN (also untagged). While the Authorized-Client VLAN

is in use, the port does not have access to the statically

configured, untagged VLAN.

When the authenticated client disconnects, the switch

removes the port from the Authorized-Client VLAN and

moves it back to the untagged membership in the statically

configured VLAN. (After client authentication, the port

resumes any tagged VLAN memberships for which it is

already configured.

NOTE: This rule assumes:

• No alternate VLAN has been assigned by a RADIUS

server.

• No other authenticated clients are already using the

port.

You can use the same static VLAN as the

Unauthorized-Client VLAN for all 802.1X authenticator

Multiple Authenticator Ports Using the Same

Unauthorized-Client and Authorized-Client VLANs

ports configured on the switch. Similarly, you can use the

same static VLAN as the Authorized-Client VLAN for all

802.1X authenticator ports configured on the switch.

CAUTION: Do not use the same static VLAN for both the

unauthorizedclient VLAN and the authorized-client VLAN.

Using one VLAN for both creates a security risk by

defeating the isolation of unauthenticated clients.

When there is an Unauthorized-Client VLAN configured

on an 802.1X authenticator port, an unauthorized client

Effect of Failed Client Authentication Attempt This rule

assumes no other authenticated clients are already using

the port on a different VLAN. connected to the port has access only to the network

resources belonging to the Unauthorized- Client VLAN.

This access continues until the client disconnects from the

port. (If there is no Unauthorized-Client VLAN configured

on the authenticator port, the port simply blocks access for

any unauthorized client.)

The port joins the RADIUS-assigned VLAN as an untagged

member.

Effect of RADIUS-assigned VLAN This rule assumes no other

authenticated clients are already using the port on a

different VLAN.

A client can either acquire an IP address from a DHCP

server or use a manually configured IP address before

connecting to the switch.

IP Addressing for a Client Connected to a Port Configured

for 802.x Open VLAN Mode

A friendly client, without 802.1X supplicant software,

connecting to an authenticator port must be able to

802.1X Supplicant Software for a Client Connected to a

Port Configured for 802.1X Open VLAN Mode

download this software from the Unauthorized-Client VLAN

before authentication can begin.

When a new client is authenticated on a given port:Switch with a Port Configured To Allow Multiple

Authorized-Client Sessions

• If no other clients are authenticated on that port, then

the port joins one VLAN in the following order of

precedence:

1. A RADIUS-assigned VLAN, if configured.

2. An Authenticated-Client VLAN, if configured.

3. A static, port-based VLAN to which the port belongs

as an untagged member.

4. Any VLAN(s) to which the port is configured as a

tagged member (provided that the client can operate

in that VLAN).

• If another client is already authenticated on the port,

then the port is already assigned to a VLAN for the

492 Port-Based and User-Based Access Control (802.1X)