Vlan Membership Priority - HP 3500yl Series Access Security Manual

N o t e
Note
The switches covered in this guide can use either 802.1X port-based authen-
tication or 802.1X user-based authentication. For more information, refer to
"User Authentication Methods" on page 13-2.

VLAN Membership Priority

Following client authentication, an 802.1X port resumes membership in any
tagged VLANs for which it is already assigned in the switch configuration. The
port also becomes an untagged member of one VLAN according to the follow-
ing order of options:
a. 1st Priority: The port joins a VLAN to which it has been assigned by
a RADIUS server during client authentication.
b. 2nd Priority: If RADIUS authentication does not include assigning
the port to a VLAN, then the switch assigns the port to the VLAN
entered in the port's 802.1X configuration as an Authorized-Client
VLAN, if configured.
c. 3rd Priority: If the port does not have an Authorized-Client VLAN
configured, but does have a static, untagged VLAN membership in its
configuration, then the switch assigns the port to this VLAN.
A port assigned to a VLAN by an Authorized-Client VLAN configuration
(or a RADIUS server) will be an untagged member of the VLAN for the
duration of the authenticated session. This applies even if the port is also
configured in the switch as a tagged member of the same VLAN.
On the switches covered in this guide, using the same port for both
RADIUS-assigned clients and clients using a configured, Authorized-Cli-
ent VLAN is not recommended. This is because doing so can result in
authenticated clients with mutually exclusive VLAN priorities, which
means that some authenticated clients can be denied access to the port.
Refer to figure 13-1 on page 13-10.
Configuring Port-Based and User-Based Access Control (802.1X)
General 802.1X Authenticator Operation
13-9