Configuring Port-Based and User-Based Access Control (802.1X)

How RADIUS/802.1X Authentication Affects VLAN Operation

For example, suppose that a RADIUS-authenticated, 802.1X-aware client on port A2 requires access to VLAN 22, but VLAN 22 is configured for no access on port A2, and VLAN 33 is configured as untagged on port A2:

Scenario: An authorized 802.1X client requires access to VLAN 22 from port A2. However, access to VLAN 22 is blocked (not untagged or tagged) on port A2 and

Figure 10-19.Example of an Active VLAN Configuration

In Figure 10-19, if RADIUS authorizes an 802.1X client on port A2 with the requirement that the client use VLAN 22, then:

VLAN 22 becomes available as Untagged on port A2 for the duration of the session.

VLAN 33 becomes unavailable to port A2 for the duration of the session (because there can be only one untagged VLAN on any port).

To view the temporary VLAN assignment as a change in the active configura- tion, use the show vlan <vlan-id>command as shown in Figure 10-18where <vlan-id>is the (static or dynamic) VLAN used in the authenticated client session.

10-69