Configuring Port-Based and User-Based Access Control (802.1X)

Overview

Port-Based access control option allowing authentication by a single client to open the port. This option does not force a client limit and, on a port opened by an authenticated client, allows unlimited client access without requiring further authentication.

Supplicant implementation using CHAP authentication and indepen- dent user credentials on each port.

The local operator password configured with the password command for management access to the switch is no longer accepted as an 802.1X authenticator credential. The password port-accesscommand configures the local operator username and password used as 802.1X authentication credentials for access to the switch. The values configured can be stored in a configuration file using the include-credentialscommand. For infor- mation about the password port-accesscommand, see “Do These Steps Before You Configure 802.1X Operation” on page 10-14.

On-demand change of a port’s configured VLAN membership status to support the current client session.

Session accounting with a RADIUS server, including the accounting update interval.

Use of Show commands to display session counters.

Support for concurrent use of 802.1X and either Web authentication or MAC authentication on the same port.

For unauthenticated clients that do not have the necessary 802.1X suppli- cant software (or for other reasons related to unauthenticated clients), there is the option to configure an Unauthorized-Client VLAN. This mode allows you to assign unauthenticated clients to an isolated VLAN through which you can provide the necessary supplicant software and/or other services you want to extend to these clients.

User Authentication Methods

The switch offers two methods for using 802.1X access control. Generally, the “Port Based” method supports one 802.1X-authenticated client on a port, which opens the port to an unlimited number of clients. The “User-Based” method supports up to 32 802.1X-authenticated clients on a port. In both cases, there are operating details to be aware of that can influence your choice of methods.

802.1X User-Based Access Control

802.1X operation with access control on a per-user basis provides client-level security that allows LAN access to individual 802.1X clients (up to 32 per port), where each client gains access to the LAN by entering valid user credentials.

10-4