Inspecting 802.1x open vlan mode operation, 1x open vlan operating notes, 1x open vlan operating notes -30 – HP 4100GL User Manual

Configuring Port-Based Access Control (802.1x)
802.1x Open VLAN Mode

Inspecting 802.1x Open VLAN Mode Operation.

For information and an

example on viewing current Open VLAN mode operation, refer to “Viewing
802.1x Open VLAN Mode Status” on page 6-38.

802.1x Open VLAN Operating Notes

■

Although you can configure Open VLAN mode the same VLAN for
both the Unauthorized-Client VLAN and the Authorized-Client VLAN,
this is not recommended. Using the same VLAN for both purposes
allows unauthenticated clients access to a VLAN intended only for
authenticated clients, which poses a security breach.

■

While an Unauthorized-Client VLAN is in use on a port, the switch
temporarily removes the port from any other statically configured
VLAN for which that port is configured as an untagged member. Note
that the Menu interface will still display the port’s statically config

-

ured VLAN.

■

An Unauthorized-Client VLAN should not be statically configured on
any switch port that allows access to resources that must be protected
from unauthenticated clients.

■

If a port is configured as a tagged member of a VLAN that is not used
as an Unauthorized-Client, Authorized-Client, or RADIUS-assigned
VLAN, then the client can access such VLANs only if it is capable of
operating in a tagged VLAN environment. Otherwise, the client can
access only the Unauthorized-Client VLAN (before authentication)
and either the Authorized-Client or RADIUS-assigned VLAN after
authentication. (In all three cases, membership will be untagged,
regardless of any static configuration specifying tagged membership.)
If there is no Authorized-Client or RADIUS-assigned VLAN, then an
authenticated client can access only a statically configured, untagged
VLAN on that port.

■

When a client’s authentication attempt on an Unauthorized-Client
VLAN fails, the port remains a member of the Unauthorized-Client
VLAN until the client disconnects from the port.

■

During an authentication session on a port in 802.1x Open VLAN
mode, if RADIUS specifies membership in an untagged VLAN, this
assignment overrides port membership in the Authorized-Client
VLAN. If there is no Authorized-Client VLAN configured, then the
RADIUS assignment overrides any untagged VLAN for which the port
is statically configured.

6-30