Configuring Port-Based and User-Based Access Control (802.1X)

How RADIUS/802.1X Authentication Affects VLAN Operation

This entry shows that port A2 is temporarily untagged on VLAN 22 for an 802.1X session. This is to accommodate an 802.1X client’s access, authenticated by a RADIUS server, where the server included an instruction to put the client’s access on VLAN 22.

Note: With the current VLAN configuration (figure 10-19), the only time port A2 appears in this show vlan 22 listing is during an 802.1X session with an attached client.

Otherwise, port A2 is not listed.

Figure 10-20.The Active Configuration for VLAN 22 Temporarily Changes for the 802.1X Session

However, as shown in Figure 10-19, because VLAN 33 is configured as untagged on port A2 and because a port can be untagged on only one VLAN, port A2 loses access to VLAN 33 for the duration of the 802.1X session on VLAN 22.

You can verify the temporary loss of access to VLAN 33 by entering the show vlan 33 command as shown in Figure 10-21.

Even though port A2 is configured as Untagged on (static) VLAN 33 (see figure 10-19), it does not appear in the VLAN 33 listing while the 802.1X session is using VLAN 22 in the Untagged status. However, after the 802.1X session with VLAN 22 ends, the active configuration returns port A2 to VLAN 33.

Figure 10-21.The Active Configuration for VLAN 33 Temporarily Drops Port 22 for the 802.1X Session

10-70