HP (Hewlett-Packard) 2300 Switch User Manual


 
54
Enhancements in Release F.05.05 through F.05.70
Enhancements in Release F.05.05 through F.05.60
Inspecting 802.1X Open VLAN Mode Operation. For information and an example on viewing
current Open VLAN mode operation, refer to “Viewing 802.1X Open VLAN Mode Status” on page 63.
802.1X Open VLAN Operating Notes
Although you can configure Open VLAN mode the same VLAN for both the Unauthorized-
Client VLAN and the Authorized-Client VLAN, this is not recommended. Using the same
VLAN for both purposes allows unauthenticated clients access to a VLAN intended only for
authenticated clients, which poses a security breach.
While an Unauthorized-Client VLAN is in use on a port, the switch temporarily removes the
port from any other statically configured VLAN for which that port is configured as an
untagged member. Note that the Menu interface will still display the port’s statically config-
ured VLAN.
An Unauthorized-Client VLAN should not be statically configured on any switch port that
allows access to resources that must be protected from unauthenticated clients.
If a port is configured as a tagged member of a VLAN that is not used as an Unauthorized-
Client, Authorized-Client, or RADIUS-assigned VLAN, then the client can access such VLANs
only if it is capable of operating in a tagged VLAN environment. Otherwise, the client can
access only the Unauthorized-Client VLAN (before authentication) and either the Autho-
rized-Client or RADIUS-assigned VLAN after authentication. (In all three cases, membership
will be untagged, regardless of any static configuration specifying tagged membership.) If
there is no Authorized-Client or RADIUS-assigned VLAN, then an authenticated client can
access only a statically configured, untagged VLAN on that port.
When a client’s authentication attempt on an Unauthorized-Client VLAN fails, the port
remains a member of the Unauthorized-Client VLAN until the client disconnects from the
port.
During an authentication session on a port in 802.1X Open VLAN mode, if RADIUS specifies
membership in an untagged VLAN, this assignment overrides port membership in the
Authorized-Client VLAN. If there is no Authorized-Client VLAN configured, then the RADIUS
assignment overrides any untagged VLAN for which the port is statically configured.
If an authenticated client loses authentication during a session in 802.1X Open VLAN mode,
the port VLAN membership reverts back to the Unauthorized-Client VLAN.