Enhancements in Release F.05.05 through F.05.70

Enhancements in Release F.05.05 through F.05.60

Operating Rules for Authorized-Client and Unauthorized-Client VLANs
ConditionRule

 

 

Static VLANs used as Authorized- These must be configured on the switch before you configure an Client or Unauthorized-ClientVLANs 802.1X authenticator port to use them. (Use the vlan < vlan-id >

command or the VLAN Menu screen in the Menu interface.)
VLAN Assignment Received from a RADIUS ServerTemporary VLAN Membership During a Client SessionEffect of Unauthorized-Client VLAN session on untagged port VLAN membershipEffect of Authorized-Client VLAN session on untagged port VLAN membership.

If the RADIUS server specifies a VLAN for an authenticated supplicant connected to an 802.1X authenticator port, this VLAN assignment overrides any Authorized-Client VLAN assignment configured on the authenticator port. This is because both VLANs are untagged, and the switch allows only one untagged VLAN membership per-port. For example, suppose you configured port 4 to place authenticated supplicants in VLAN 20. If a RADIUS server authenticates supplicant “A” and assigns this supplicant to VLAN 50, then the port can access VLAN 50 for the duration of the client session. When the client disconnects from the port, then the port drops these assignments and uses only the VLAN memberships for which it is statically configured.

Port membership in a VLAN assigned to operate as the Unauthorized-Client VLAN is temporary, and ends when the client receives authentication or the client disconnects from the port, whichever is first.

Port membership in a VLAN assigned to operate as the Authorized- Client VLAN is also temporary, and ends when the client disconnects from the port.If a VLAN assignment from a RADIUS server is used instead, the same rule applies.

When an unauthenticated client connects to a port that is already configured with a static, untagged VLAN, the switch temporarily moves the port to the Unauthorized-Client VLAN (also untagged). (While the Unauthorized-Client VLAN is in use, the port does not access the static, untagged VLAN.)

When the client either becomes authenticated or disconnects, the port leaves the Unauthorized-Client VLAN and reacquires its untagged membership in the statically configured VLAN.

When a client becomes authenticated on a port that is already configured with a static, untagged VLAN, the switch temporarily moves the port to the Authorized-Client VLAN (also untagged). While the Authorized-Client VLAN is in use, the port does not have access to the statically configured, untagged VLAN.

When the authenticated client disconnects, the switch removes the port from the Authorized-Client VLAN and moves it back to the untagged membership in the statically configured VLAN.

48