HP ProCurve 2910al Access Security Manual page 96

Web and MAC Authentication
Operating Rules and Notes
3-12
1. If there is a RADIUS-assigned VLAN, then, for the duration of the
client session, the port belongs to this VLAN and temporarily
drops all other VLAN memberships.
2. If there is no RADIUS-assigned VLAN, then, for the duration of
the client session, the port belongs to the Authorized VLAN (if
configured) and temporarily drops all other VLAN memberships.
3. If neither 1 or 2, above, apply, but the port is an untagged member
of a statically configured, port-based VLAN, then the port remains
in this VLAN.
4. If neither 1, 2, or 3, above, apply, then the client session does not
have access to any statically configured, untagged VLANs and
client access is blocked.
• After an authorized client session begins on a given port, the port's
VLAN membership does not change. If other clients on the same port
become authenticated with a different VLAN assignment than the first
client, the port blocks access to these other clients until the first client
session ends.
• The optional "authorized" VLAN (auth-vid) and "unauthorized" VLAN
(unauth-vid) you can configure for Web- or MAC-based authentication
must be statically configured VLANs on the switch. Also, if you
configure one or both of these options, any services you want clients
in either category to access must be available on those VLANs.
Where a given port's configuration includes an unauthorized client VLAN
■
assignment, the port will allow an unauthenticated client session only
while there are no requests for an authenticated client session on that
port. In this case, if there is a successful request for authentication from
an authorized client, the switch terminates the unauthorized-client ses­
sion and begins the authorized-client session.
■ When a port on the switch is configured for Web or MAC Authentication
and is supporting a current session with another device, rebooting the
switch invokes a re-authentication of the connection.
When a port on the switch is configured as a Web- or MAC-based authen­
■
ticator, it blocks access to a client that does not provide the proper
authentication credentials. If the port configuration includes an optional,
unauthorized VLAN (unauth-vid), the port is temporarily placed in the
unauthorized VLAN if there are no other authorized clients currently using
the port with a different VLAN assignment. If an authorized client is using
the port with a different VLAN or if there is no unauthorized VLAN
configured, the unauthorized client does not receive access to the net­
work.
Web- or MAC-based authentication and LACP cannot both be enabled on
■
the same port.