Configuring Port-Based and User-Based Access Control (802.1X)

General 802.1X Authenticator Operation

N o t e

The switches covered in this guide can use either 802.1X port-based authen-

 

tication or 802.1X user-based authentication. For more information, refer to

 

“User Authentication Methods” on page 10-4.

 

 

Note

VLAN Membership Priority

Following client authentication, an 802.1X port resumes membership in any tagged VLANs for which it is already assigned in the switch configuration. The port also becomes an untagged member of one VLAN according to the following order of options:

a.1st Priority: The port joins a VLAN to which it has been assigned by a RADIUS server during client authentication.

b.2nd Priority: If RADIUS authentication does not include assigning the port to a VLAN, then the switch assigns the port to the VLAN entered in the port’s 802.1X configuration as an Authorized-ClientVLAN, if configured.

c.3rd Priority: If the port does not have an Authorized-Client VLAN configured, but does have a static, untagged VLAN membership in its configuration, then the switch assigns the port to this VLAN.

A port assigned to a VLAN by an Authorized-Client VLAN configuration (or a RADIUS server) will be an untagged member of the VLAN for the duration of the authenticated session. This applies even if the port is also configured in the switch as a tagged member of the same VLAN.

On the switches covered in this guide, using the same port for both RADIUS-assigned clients and clients using a configured, Authorized-Client VLAN is not recommended. This is because doing so can result in authenticated clients with mutually exclusive VLAN priorities, which means that some authenticated clients can be denied access to the port. Refer to figure 10-1on page 10-11.

10-10