ProCurve Series 2300 and 2500 Switches Release Notes
25
Enhancements in Release F.05.xx
Configuring Port-Based Access Control (802.1x)
Tagged VLAN Membership: This type of VLAN membership allows a port to be a member of multiple
VLANs simultaneously. If a client connected to the port has an operating system that supports
802.1q VLAN tagging, then the client can access VLANs for which the port is a tagged member.
If the client does not support VLAN tagging, then it can access only a VLAN for which the port
is an untagged member. (A port can be an untagged member of only one VLAN at a time.) 802.1x
Open VLAN mode does not affect a port’s tagged VLAN access unless the port is statically
configured as a member of a VLAN that is also configured as the Unauthorized-Client or
Authorized-Client VLAN. See also “Untagged VLAN Membership”.
Unauthorized-Client VLAN: A conventional, static VLAN previously configured on the switch by
the System Administrator. It is used to provide access to a client prior to authentication. It should
be set up to allow an unauthenticated client to access only the initialization services necessary
to establish an authenticated connection, plus any other desirable services whose use by an
unauthenticated client poses no security threat to your network. (Note that an unauthenticated
client has access to all network resources that have membership in the VLAN you designate as
the Unauthorized-Client VLAN.) A port configured to use a given Unauthorized-Client VLAN does
not have to be statically configured as a member of that VLAN as long as at least one other port
on the switch is statically configured as a tagged or untagged member of the same Unauthorized-
Client VLAN.
Untagged VLAN Membership: A port can be an untagged member of only one VLAN. (In the factory-
default configuration, all ports on the switch are untagged members of the default VLAN.) An
untagged VLAN membership is required for a client that does not support 802.1q VLAN tagging.
A port can simultaneously have one untagged VLAN membership and multiple tagged VLAN
memberships. Depending on how you configure 802.1x Open VLAN mode for a port, a statically
configured, untagged VLAN membership may become unavailable while there is a client session
on the port. See also “Tagged VLAN Membership”.
General Operating Rules and Notes
■ When a port on the switch is configured as either an authenticator or supplicant and is
connected to another device, rebooting the switch causes a re-authentication of the link.
■ When a port on the switch is configured as an authenticator, it will block access to a client
that either does not provide the proper authentication credentials or is not 802.1x-aware.
(You can use the optional 802.1x Open VLAN mode to open a path for downloading 802.1x
supplicant software to a client, which enables the client to initiate the authentication
procedure. Refer to “802.1x Open VLAN Mode” on page -34.)
■ If a port on switch “A” is configured as an 802.1x supplicant and is connected to a port on
another switch, “B”, that is not 802.1x-aware, access to switch “B” will occur without 802.1x
security protection.
■ You can configure a port as both an 802.1x authenticator and an 802.1x supplicant.