HP procurve 5300xl Series Access Security Manual

Also see for ProCurve 5300xl: Specification sheet Supplementary guide Management and configuration guide Management guide Access security guide

Configuring Port-Based Access Control (802.1x)802.1x Open VLAN ModeInspecting 802.1x Open VLAN Mode Operation. For information and anexample on viewing current Open VLAN mode operation, refer to “Viewing802.1x Open VLAN Mode Status” on page 8-39.802.1x Open VLAN Operating Notes■ Although you can configure Open VLAN mode to use the same VLANfor both the Unauthorized-Client VLAN and the Authorized-ClientVLAN, this is not recommended. Using the same VLAN for bothpurposes allows unauthenticated clients access to a VLAN intendedonly for authenticated clients, which poses a security breach.■ While an Unauthorized-Client VLAN is in use on a port, the switchtemporarily removes the port from any other statically configuredVLAN for which that port is configured as a member. Note that theMenu interface will still display the port’s statically configuredVLAN(s).■ A VLAN used as the Unauthorized-Client VLAN should not allowaccess to resources that must be protected from unauthenticatedclients.■ If a port is configured as a tagged member of VLAN "X" that is not usedas an Unauthorized-Client, Authorized-Client, or RADIUS-assignedVLAN, then the port returns to tagged membership in VLAN "X" uponsuccessful client authentication. This happens even if the RADIUSserver assigns the port to another, authorized VLAN "Y". Note that ifRADIUS assigns VLAN "X" as an authorized VLAN, then the portbecomes an untagged member of VLAN "X" for the duration of theclient connection. After the client disconnects, the port returns totagged membership in VLAN "X". (If there is no Authorized-Client orRADIUS-assigned VLAN, then an authenticated client without taggedVLAN capability can access only a statically configured, untaggedVLAN on that port.)■ When a client’s authentication attempt on an Unauthorized-ClientVLAN fails, the port remains a member of the Unauthorized-ClientVLAN until the client disconnects from the port.■ During an authentication session on a port in 802.1x Open VLANmode, if RADIUS specifies membership in an untagged VLAN, thisassignment overrides port membership in the Authorized-ClientVLAN. If there is no Authorized-Client VLAN configured, then theRADIUS assignment overrides any untagged VLAN for which the portis statically configured.8-30