HP ProCurve Series 3400cl Release Notes page 195

Drop offer from <DHCP server IP address> of <DHCP address offer>
because the address is assigned to some other client
Drop request from <MAC address of client requesting an IP address
that is already in use> for <IP address requested by client> because
the address is assigned to some other client
■ DHCP—Snooping (PR_0000019155) — DHCP-Snooping does not correctly identify that
a packet is a fragment, and drops UDP Fragments if a hex value of 44 (68 Decimal) is present
in the payload where the header is usually located (in a non-fragment).
Unauthenticated VLAN (PR_0000010533) — The switch allows an inherent configura-
■
tion conflict; an unauthenticated VLAN (unauth-vid) can be configured concurrently for both
802.1X and Web/MAC authentication. This fix will not allow concurrent configuration of an
unauth-vid for the aaa port-access authenticator and aaa port-access web-based or
access mac-based functions. Software versions that contain this fix will not allow the this
configuration conflict at the CLI. Existing configurations will be altered by this fix, and an
error will be reported at the switch CLI and event log.
Best Practice Tip: 802.1X should not have an unauthenticated VLAN setting when it works
concurrently with Web-based or MAC-based authentication if the unauth-period in 802.1X is zero
(the default value). Recall that the unauth-period is the time that 802.1X will wait for authenti-
cation completion before the client will be authorized on an unauthenticated VLAN. If 802.1X is
associated with an unauthenticated VLAN when the unauth-period is zero, Web- or MAC-auth
may not get the opportunity to initiate authentication at all if the first packet from the client is
an 802.1X packet. Alternatively, if the first packet sent was not 802.1X, Web- or MAC-auth could
be initiated before 802.1X places the user in the unauthenticated VLAN and when Web- or MAC-
auth completes successfully, it will be awaiting traffic (to enable VLAN assignment) from the
client but the traffic will be restricted to the unauthenticated VLAN, and thus the client will
remain there.
If a MAC- or Web-based configuration on a port is associated with an unauth-VID, and an attempt
is made to configure an unauth-VID for 802.1X (port-access authenticator), the switch with this
fix will reject the configuration change with a message similar to one of the following.
Message 1 (when an unauth-vid config is attempted on a port with an existing Web- or MAC-auth
unauth-vid):
Configuration change denied for port <number>.Only Web or MAC-
authenticator can have unauthenticated VLAN enabled if 802.1X
authenticator is enabled on the same port. Please disable Web and
MAC authentication on this port using the following commands:
"no aaa port-access web-based <PORT-LIST>" or
"no aaa port-access mac-based <PORT-LIST>"
Then you can enable 802.1X authentication with unauthenticated VLAN.
You can re-enable Web and/or MAC authentication after you remove the
unauthenticated VLAN from 802.1X.Note that you can set unauthenti-
cated VLAN for Web or MAC authentication instead.
Software Fixes in Release M.08.51 - M.10.72
Release M.10.72
aaa port-
185