Configuring Port-Based and User-Based Access Control (802.1X)

How RADIUS/802.1X Authentication Affects VLAN Operation

When the 802.1X client’s session on port A2 ends, the port removes the temporary untagged VLAN membership. The static VLAN (VLAN 33) that is “permanently” configured as untagged on the port becomes available again. Therefore, when the RADIUS-authenticated 802.1X session on port A2 ends, VLAN 22 access on port A2 also ends, and the untagged VLAN 33 access on port A2 is restored as shown in Figure 10-22.

After the 802.1X session on VLAN 22 ends, the active configuration again includes VLAN 33 on port A2.

Figure 10-22.The Active Configuration for VLAN 33 Restores Port A2 After the 802.1X Session Ends

Enabling the Use of GVRP-Learned Dynamic VLANs in Authentication Sessions

Syntax: aaa port-access gvrp-vlans

Enables the use of dynamic VLANs (learned through GVRP) in the temporary untagged VLAN assigned by a RADIUS server on an authenticated port in an 802.1X, MAC, or Web authentication session.

Enter the no form of this command to disable the use of GVRP- learned VLANs in an authentication session.

For information on how to enable a switch to dynamically create 802.1Q-compliant VLANs, see the chapter on “GVRP” in the Advanced Traffic Management Guide.

Notes:

1.If a port is assigned as a member of an untagged dynamic VLAN, the dynamic VLAN configuration must exist at the time of authentication and GVRP for port-access authentication must be enabled on the switch.

If the dynamic VLAN does not exist or if you have not enabled the use of a dynamic VLAN for authentication sessions on the switch, the authentication fails.

10-71