Configuring Port-Based and User-Based Access Control (802.1X)

 

802.1X Open VLAN Mode

 

 

802.1X Per-Port Configuration

Port Response

 

 

Authorized-Client VLAN

• After client authentication, the port drops membership in the

 

Unauthorized-Client VLAN and becomes an untagged member of

 

this VLAN.

 

Notes: If the client is running an 802.1X supplicant application

 

when the authentication session begins, and is able to

 

authenticate itself before the switch assigns the port to the

 

Unauthorized-Client VLAN, then the port does not become a

 

member of the Unauthorized-Client VLAN. On the switches

 

covered in this guide, you can use the unauth-periodcommand—

 

page 10-23—to delay moving the port into the Unauthorized-Client

 

VLAN.

If RADIUS authentication assigns a VLAN and there are no other authenticated clients on the port, then the port becomes a member of the RADIUS-assigned VLAN —instead of the Authorized-Client VLAN—while the client is connected.

If the port is statically configured as a tagged member of a VLAN, and this VLAN is used as the Authorized-Client VLAN, then the port temporarily becomes an untagged member of this VLAN when the client becomes authenticated.

If the port is statically configured as a tagged member of a VLAN, the port returns to tagged membership in this VLAN upon successful authentication. This happens even if the RADIUS server assigns the port to another, authorized VLAN. If the port is already configured as a tagged member of a VLAN that RADIUS assigns as an authorized VLAN, then the port becomes an untagged member of that VLAN for the duration of the client connection.

10-33