HP (Hewlett-Packard) 2800 Series Switch User Manual


 
8-24
Configuring Port-Based Access Control (802.1X)
802.1X Open VLAN Mode
Open VLAN Mode with Only an Unauthorized-Client VLAN Configured:
When the port detects a client, it automatically becomes an
untagged member of this VLAN. To limit security risks, the network
services and access available on this VLAN should include only
what a client needs to enable an authentication session. If the port
is statically configured as an untagged member of another VLAN,
the switch temporarily removes the port from membership in this
other VLAN while membership in the Unauthorized-Client VLAN
exists.
After the client is authenticated, and if the port is statically
configured as an untagged member of another VLAN, the port’s
access to this other VLAN is restored.
Note: If RADIUS authentication assigns a VLAN to the port, this
assignment overrides any statically configured, untagged VLAN
membership on the port (while the client is connected).
If the port is statically configured as a tagged member of a VLAN
that is not used by 802.1X Open VLAN mode, the port returns to
tagged membership in this VLAN upon successful client
authentication. This happens even if the RADIUS server assigns
the port to another, authorized VLAN. Note that if the port is already
configured as a tagged member of a VLAN that RADIUS assigns
as an authorized VLAN, then the port becomes an untagged
member of that VLAN for the duration of the client connection.
After the client disconnects, the port returns to tagged
membership in that VLAN.
Open VLAN Mode with Only an Authorized-Client VLAN Configured:
Port automatically blocks a client that cannot initiate an
authentication session.
If the client successfully completes an authentication session, the
port becomes an untagged member of this VLAN.
Note: if RADIUS authentication assigns a VLAN, the port
temporarily becomes an untagged member of the RADIUS-
assigned VLAN —instead of the Authorized-Client VLAN—while
the client is connected.
If the port is statically configured as a tagged member of any other
VLAN, the port returns to tagged membership in this VLAN upon
successful client authentication. This happens even if the RADIUS
server assigns the port to another, authorized VLAN. If the port is
already configured as a tagged member of a VLAN that RADIUS
assigns as an authorized VLAN, then the port becomes an
untagged member of that VLAN for the duration of the client
connection. After the client disconnects, the port returns to
tagged membership in that VLAN.
802.1X Per-Port Configuration Port Response