Configuring Port-Based and User-Based Access Control (802.1X)

802.1X Open VLAN Mode

802.1X Per-Port Configuration

Port Response

 

 

Open VLAN Mode with Only an Unauthorized-Client VLAN Configured:

When the port detects a client, it automatically becomes an untagged member of this VLAN. To limit security risks, the network services and access available on this VLAN should include only what a client needs to enable an authentication session. If the port is statically configured as an untagged member of another VLAN, the switch temporarily removes the port from membership in this other VLAN while membership in the Unauthorized-Client VLAN exists.

After the client is authenticated, and if the port is statically configured as an untagged member of another VLAN, the port’s access to this other VLAN is restored.

Note: If RADIUS authentication assigns the port to a VLAN, this assignment overrides any statically configured, untagged VLAN membership on the port (while the client is connected).

If the port is statically configured as a tagged member of a VLAN, the port returns to tagged membership in this VLAN upon successful client authentication. This happens even if the RADIUS server assigns the port to another, authorized VLAN. Note that if the port is already configured as a tagged member of a VLAN that RADIUS assigns as an authorized VLAN, then the port becomes an untagged member of that VLAN for the duration of the client connection.

Note for a Port Configured To Allow Multiple Client Sessions: If any

previously authenticated clients are using a port assigned to a VLAN other than the Unauthorized-Client VLAN (such as a RADIUS- assigned VLAN), then a later client that is not running 802.1X supplicant software is blocked on the port until all other, authenticated clients on the port have disconnected. Refer to figure 10-1on page 10-11.

10-34