Configuring Port-Based Access Control (802.1x)

802.1x Open VLAN Mode

Operating Rules for Authorized-Client and

Unauthorized-Client VLANs

ConditionRule

 

 

Static VLANs used as Authorized- These must be configured on the switch before you configure an Client or Unauthorized-ClientVLANs 802.1x authenticator port to use them. (Use the vlan < vlan-id>

command or the VLAN Menu screen in the Menu interface.)

VLAN Assignment Received from a If the RADIUS server specifies a VLAN for an authenticated supplicant

RADIUS Serverconnected to an 802.1x authenticator port, this VLAN assignment overrides any Authorized-Client VLAN assignment configured on the authenticator port. This is because both VLANs are untagged, and the switch allows only one untagged VLAN membership per-port. For example, suppose you configured port A4 to place authenticated supplicants in VLAN 20. If a RADIUS server authenticates supplicant "A" and assigns this supplicant to VLAN 50, then the port can access VLAN 50 for the duration of the client session. When the client discon­ nects from the port, then the port drops these assignments and uses only the VLAN memberships for which it is statically configured.

Temporary VLAN Membership During a Client Session

Effect of Unauthorized-Client VLAN session on untagged port VLAN membership

Effect of Authorized-Client VLAN session on untagged port VLAN membership.

Port membership in a VLAN assigned to operate as the Unauthorized-Client VLAN is temporary, and ends when the client receives authentication or the client disconnects from the port, whichever is first.

Port membership in a VLAN assigned to operate as the Authorized- Client VLAN is also temporary, and ends when the client disconnects from the port.If a VLAN assignment from a RADIUS server is used instead, the same rule applies.

When an unauthenticated client connects to a port that is already configured with a static, untagged VLAN, the switch temporarily moves the port to the Unauthorized-Client VLAN (also untagged). (While the Unauthorized-Client VLAN is in use, the port does not access the static, untagged VLAN.)

When the client either becomes authenticated or disconnects, the port leaves the Unauthorized-Client VLAN and reacquires its untagged membership in the statically configured VLAN.

When a client becomes authenticated on a port that is already configured with a static, untagged VLAN, the switch temporarily moves the port to the Authorized-Client VLAN (also untagged). While the Authorized-Client VLAN is in use, the port does not have access to the statically configured, untagged VLAN.

When the authenticated client disconnects, the switch removes the port from the Authorized-Client VLAN and moves it back to the untagged membership in the statically configured VLAN.

6-24