Configuring Port-Based and User-Based Access Control (802.1X)

Terminology

 

This operation unblocks the port while an authenticated client session is in

 

progress. In topologies where simultaneous, multiple client access is possible

 

this can allow unauthorized and unauthenticated access by another client

 

while an authenticated client is using the port. If you want to allow only

 

authenticated clients on the port, then user-based access control (page 10-4)

 

should be used instead of port-based access control. Using the user-based

 

method enables you to specify up to 32 authenticated clients.

 

 

N o t e

Port-Based 802.1X can operate concurrently with Web-Authentication or

 

MAC-Authentication on the same port. However, this is not a commonly used

 

application and is not generally recommended. For more information, refer

 

to the operating note on page 10-13.

 

 

Alternative To Using a RADIUS Server

Note that you can also configure 802.1X for authentication through the switch’s local username and password instead of a RADIUS server, but doing so increases the administrative burden, decentralizes user credential admin- istration, and reduces security by limiting authentication to one Operator password set for all users.

Accounting

The switches covered in this guide also provide RADIUS Network accounting for 802.1X access. Refer to chapter 5, “RADIUS-Administered CoS and Rate- Limiting”.

Terminology

802.1X-Aware:Refers to a device that is running either 802.1X authenticator software or 802.1X client software and is capable of interacting with other devices on the basis of the IEEE 802.1X standard.

Authorized-Client VLAN: Like the Unauthorized-Client VLAN, this is a conventional, static VLAN previously configured on the switch by the System Administrator. The intent in using this VLAN is to provide authenticated clients with network services that are not available on either the port’s statically configured VLAN memberships or any VLAN memberships that may be assigned during the RADIUS authentication process. While an 802.1X port is a member of this VLAN, the port is untagged. When

10-6