Configuring Port-Based and User-Based Access Control (802.1X) 802.1X Open VLAN Mode

802.1X Open VLAN Mode

802.1X Authentication Commands

page 10-18

802.1X Supplicant Commands

page 10-49

802.1X Open VLAN Mode Commands

 

[no] aaa port-access authenticator < port-list>

page 10-43

[auth-vid < vlan-id>]

 

[unauth-vid < vlan-id>]

 

802.1X-Related Show Commands

page 10-51

RADIUS server configuration

pages 10-25

 

 

Introduction

This section describes how to use the 802.1X Open VLAN mode to provide a path for clients that need to acquire 802.1X supplicant software before proceeding with the authentication process. The Open VLAN mode involves options for configuring unauthorized-client and authorized-client VLANs on ports configured as 802.1X authenticators.

Configuring the 802.1X Open VLAN mode on a port changes how the port responds when it detects a new client. In earlier releases, a “friendly” client computer not running 802.1X supplicant software could not be authenticated on a port protected by 802.1X access security. As a result, the port would become blocked and the client could not access the network. This prevented the client from:

Acquiring IP addressing from a DHCP server

Downloading the 802.1X supplicant software necessary for an authenti- cation session

The 802.1X Open VLAN mode solves this problem by temporarily suspending the port’s static VLAN memberships and placing the port in a designated Unauthorized-Client VLAN (sometimes termed a guest VLAN). In this state the client can proceed with initialization services, such as acquiring IP addressing and 802.1X client software, and starting the authentication process.

10-29