Configuring Port-Based and User-Based Access Control (802.1X)

802.1X Open VLAN Mode

Condition

Rule

 

Effect of RADIUS-assigned VLAN

The port joins the RADIUS-assigned VLAN as an untagged member.

This rule assumes no other authenticated

 

 

clients are already using the port on a

 

 

different VLAN.

 

 

 

 

IP Addressing for a Client Connected

A client can either acquire an IP address from a DHCP server or use

to a Port Configured for 802.x Open

a manually configured IP address before connecting to the switch.

VLAN Mode

 

 

 

 

802.1X Supplicant Software for a

A friendly client, without 802.1X supplicant software, connecting to an

Client Connected to a Port Configured

authenticator port must be able to download this software from the

for 802.1X Open VLAN Mode

Unauthorized-Client VLAN before authentication can begin.

 

 

Switch with a Port Configured To

When a new client is authenticated on a given port:

Allow Multiple Authorized-Client

• If no other clients are authenticated on that port, then the port joins

Sessions

one VLAN in the following order of precedence:

 

a. A RADIUS-assigned VLAN, if configured.

 

b.

An Authenticated-Client VLAN, if configured.

 

c.

A static, port-based VLAN to which the port belongs as an

 

 

untagged member.

 

d.

Any VLAN(s) to which the port is configured as a tagged

 

 

member (provided that the client can operate in that VLAN).

• If another client is already authenticated on the port, then the port

is already assigned to a VLAN for the previously-existing client session, and the new client must operate in this same VLAN, regardless of other factors. (This means that a client without 802.1X client authentication software cannot access a configured, Unauthenticated-Client VLAN if another, authenticated client is already using the port.)

10-38