Configuring Port-Based and User-Based Access Control (802.1X)

 

802.1X Open VLAN Mode

 

 

Condition

Rule

 

 

Effect of Unauthorized-Client VLAN

• When an unauthenticated client connects to a port that is already

session on untagged port VLAN

configured with a static, untagged VLAN, the switch temporarily

membership

moves the port to the Unauthorized-Client VLAN (also untagged).

 

(While the Unauthorized-Client VLAN is in use, the port does not

 

access any other VLANs.)

 

• If the client disconnects, the port leaves the Unauthorized-Client

 

VLAN and re-acquires membership in all the statically configured

 

VLANs to which it belongs.

 

• If the client becomes authenticated, the port leaves the

 

Unauthenticated-Client VLAN and joins the appropriate VLAN.

 

(Refer to “VLAN Membership Priorities” on page 10-30.

 

• In the case of the multiple clients allowed on switches, if an

 

authenticated client is already using the port for a different VLAN,

 

then any other unauthenticated clients needing to use the

 

Unauthorized-Client VLAN are blocked.

 

 

Effect of Authorized-Client VLAN

• When a client becomes authenticated on a port that is already

session on untagged port VLAN

configured with a static, untagged VLAN, the switch temporarily

membership.

moves the port to the Authorized-Client VLAN (also untagged).

 

While the Authorized-Client VLAN is in use, the port does not have

 

access to the statically configured, untagged VLAN.

 

• When the authenticated client disconnects, the switch removes the

 

port from the Authorized-Client VLAN and moves it back to the

 

untagged membership in the statically configured VLAN. (After

 

client authentication, the port resumes any tagged VLAN

 

memberships for which it is already configured. For details, refer to

 

the Note on page 10-31.)

 

Note: This rule assumes:

 

• No alternate VLAN has been assigned by a RADIUS server.

 

• No other authenticated clients are already using the port.

 

 

Multiple Authenticator Ports Using

You can use the same static VLAN as the Unauthorized-Client VLAN

the Same Unauthorized-Client and

for all 802.1X authenticator ports configured on the switch. Similarly,

Authorized-Client VLANs

you can use the same static VLAN as the Authorized-Client VLAN for

 

all 802.1X authenticator ports configured on the switch.

 

Caution: Do not use the same static VLAN for both the unauthorized-

 

client VLAN and the authorized-client VLAN. Using one VLAN for both

 

creates a security risk by defeating the isolation of unauthenticated

 

clients.

Effect of Failed Client Authentication Attempt

This rule assumes no other authenticated clients are already using the port on a different VLAN.

When there is an Unauthorized-Client VLAN configured on an 802.1X authenticator port, an unauthorized client connected to the port has access only to the network resources belonging to the Unauthorized- Client VLAN. This access continues until the client disconnects from the port. (If there is no Unauthorized-Client VLAN configured on the authenticator port, the port simply blocks access for any unauthorized client.)

10-37