Operating rules for authorized-client and, Unauthorized-client vlans -24 – HP 4100GL User Manual

Configuring Port-Based Access Control (802.1x)
802.1x Open VLAN Mode

Operating Rules for Authorized-Client and
Unauthorized-Client VLANs

Condition

Rule

Static VLANs used as Authorized-
Client or Unauthorized-Client VLANs

VLAN Assignment Received from a
RADIUS Server

Temporary VLAN Membership During
a Client Session

Effect of Unauthorized-Client VLAN
session on untagged port VLAN
membership

Effect of Authorized-Client VLAN
session on untagged port VLAN
membership.

These must be configured on the switch before you configure an
802.1x authenticator port to use them. (Use the vlan < vlan-id >
command or the VLAN Menu screen in the Menu interface.)

If the RADIUS server specifies a VLAN for an authenticated supplicant
connected to an 802.1x authenticator port, this VLAN assignment
overrides any Authorized-Client VLAN assignment configured on the
authenticator port. This is because both VLANs are untagged, and the
switch allows only one untagged VLAN membership per-port. For
example, suppose you configured port A4 to place authenticated
supplicants in VLAN 20. If a RADIUS server authenticates supplicant
"A" and assigns this supplicant to VLAN 50, then the port can access
VLAN 50 for the duration of the client session. When the client discon­
nects from the port, then the port drops these assignments and uses
only the VLAN memberships for which it is statically configured.

• Port membership in a VLAN assigned to operate as the

Unauthorized-Client VLAN is temporary, and ends when the client
receives authentication or the client disconnects from the port,
whichever is first.

• Port membership in a VLAN assigned to operate as the Authorized-

Client VLAN is also temporary, and ends when the client
disconnects from the port.If a VLAN assignment from a RADIUS
server is used instead, the same rule applies.

• When an unauthenticated client connects to a port that is already

configured with a static, untagged VLAN, the switch temporarily
moves the port to the Unauthorized-Client VLAN (also untagged).
(While the Unauthorized-Client VLAN is in use, the port does not
access the static, untagged VLAN.)

• When the client either becomes authenticated or disconnects, the

port leaves the Unauthorized-Client VLAN and reacquires its
untagged membership in the statically configured VLAN.

• When a client becomes authenticated on a port that is already

configured with a static, untagged VLAN, the switch temporarily
moves the port to the Authorized-Client VLAN (also untagged).
While the Authorized-Client VLAN is in use, the port does not have
access to the statically configured, untagged VLAN.

• When the authenticated client disconnects, the switch removes the

port from the Authorized-Client VLAN and moves it back to the
untagged membership in the statically configured VLAN.

6-24