KB.15.15

ManualsBrandsHP ManualsNetwork HardwareHP 5406R-8XGT/8SFP+ (No PSU) v2 zl2 Switch

491

492

493

494

495

496

497

498

499

500

Table 55 Condition for authorized client and unauthorized client VLANs (continued)

RuleCondition

previously-existing client session, and the new client

must operate in this same VLAN, regardless of other

factors. (This means that a client without 802.1X client

authentication software cannot access a configured,

Unauthenticated-Client VLAN if another, authenticated

client is already using the port.)

You can optionally enable switches to allow up to 32 clients

per-port. The Unauthorized-Client VLAN feature can operate

Note: Limitation on Using an Unauthorized-Client VLAN

on an 802.1X Port Configured to Allow Multiple-Client

Access on an 802.1Xconfigured port regardless of how many

clients the port is configured to support. However, all clients

on the same port must operate through the same untagged

VLAN membership (unless MAC-based VLANs are enabled.

Please see “MAC-based VLANs” (page 197)). This means

that any client accessing a given port must be able to

authenticate and operate on the same VLAN as any other

previously authenticated clients that are currently using the

port. Thus, an Unauthorized-Client VLAN configured on a

switch port that allows multiple 802.1X clients cannot be

used if there is already an authenticated client using the

port on another VLAN. Also, a client using the

Unauthenticated-Client VLAN will be blocked when another

client becomes authenticated on the port. For this reason,

the best utilization of the Unauthorized-Client VLAN feature

is in instances where only one client is allowed per-port.

Otherwise, unauthenticated clients are subject to being

blocked at any time by authenticated clients using a

different VLAN. (Using the same VLAN for authenticated

and unauthenticated clients can create a security risk and

is not recommended.)

NOTE: If you use the same VLAN as the Unauthorized-Client VLAN for all authenticator ports,

unauthenticated clients on different ports can communicate with each other

General Operating Rules and Notes

• In the user-based mode, when there is an authenticated client on a port, the following traffic

movement is allowed:

◦ Multicast and broadcast traffic is allowed on the port.

◦ Unicast traffic to authenticated clients on the port is allowed.

◦ All traffic from authenticated clients on the port is allowed.

• When a port on the switch is configured as either an authenticator or supplicant and is

connected to another device, rebooting the switch causes a re-authentication of the link.

• Using user-based 802.1X authentication, when a port on the switch is configured as an

authenticator the port allows only authenticated clients up to the currently configured client

limit.

For clients that do not have the proper 802.1X supplicant software, the optional 802.1X Open

VLAN mode can be used to open a path for downloading 802.1X supplicant software to a

client or to provide other services for unauthenticated clients. See “802.1X Open VLAN mode”

(page 342).

• Using port-based 802.1X authentication, When a port on the switch is configured as an

authenticator, one authenticated client opens the port. Other clients that are not running an

802.1X supplicant application can have access to the switch and network through the opened

port. If another client uses an 802.1X supplicant application to access the opened port, then

Overview 493