HP 3500yl Series Access Security Manual page 619

Configuring Port-Based and User-Based Access Control (802.1X)
Terminology
designate as the Unauthorized-Client VLAN.) A port configured to use a
given Unauthorized-Client VLAN does not have to be statically configured
as a member of that VLAN as long as at least one other port on the switch
is statically configured as a tagged or untagged member of the same
Unauthorized-Client VLAN. An unauthorized-client VLAN is available on
a port only if there is no authenticated client already using the port.
Untagged Membership in a VLAN: A port can be an untagged member of
only one VLAN (unless MAC-based VLANs are enabled. Please see "MAC-
Based VLANs" on page 6-51). (In the factory-default configuration, all
ports on the switch are untagged members of the default VLAN.) An
untagged VLAN membership is required for a client that does not support
802.1q VLAN tagging. A port can simultaneously have one untagged VLAN
membership and multiple tagged VLAN memberships. Depending on how
you configure 802.1X Open VLAN mode for a port, a statically configured,
untagged VLAN membership may become unavailable while there is a
client session on the port. See also "Tagged Membership in a VLAN".
13-7