Configuring Port-Based and User-Based Access Control (802.1X)

802.1X Open VLAN Mode

Table 10-2. 802.1X Open VLAN Mode Options
802.1X Per-Port ConfigurationPort Response

No Open VLAN mode:

The port automatically blocks a client that cannot initiate an

 

authentication session.

Open VLAN mode with both of the following configured:

Unauthorized-Client VLAN • When the port detects a client without 802.1X supplicant capability, it automatically becomes an untagged member of this VLAN. If you previously configured the port as a static, tagged member of the VLAN, membership temporarily changes to untagged while the client remains unauthenticated.

If the port already has a statically configured, untagged membership in another VLAN, then the port temporarily closes access to this other VLAN while in the Unauthorized-Client VLAN.

To limit security risks, the network services and access available on the Unauthorized-Client VLAN should include only what a client needs to enable an authentication session. If the port is statically configured as a tagged member of any other VLANs, access to these VLANs is blocked while the port is a member of the Unauthorized-Client VLAN.

Note for a Port Configured To Allow Multiple Client Sessions: If any

previously authenticated clients are using a port assigned to a VLAN other than the Unauthorized-Client VLAN, then a later client that is not running 802.1X supplicant software is blocked on the port until all other, authenticated clients on the port have disconnected.

10-32