Configuring Port-Based and User-Based Access Control (802.1X)

How RADIUS/802.1X Authentication Affects VLAN Operation

Syntax: aaa port-access gvrp-vlans

Continued

2.After you enable dynamic VLAN assignment in an authen- tication session, it is recommended that you use the interface unknown-vlanscommand on a per-port basis to prevent denial-of-service attacks. The interface unknown-vlanscom- mand allows you to:

Disable the port from sending advertisements of existing GVRP-created VLANs on the switch.

Drop all GVRP advertisements received on the port.

For more information, refer to the chapter on “GVRP” in the

Advanced Traffic Management Guide.

3.If you disable the use of dynamic VLANs in an authentication session using the no aaa port-access gvrp-vlans command, client sessions that were authenticated with a dynamic VLAN continue and are not deauthenticated.

(This behavior differs form how static VLAN assignment is handled in an authentication session. If you remove the configuration of the static VLAN used to create a temporary client session, the 802.1X, MAC, or Web authenticated client is deauthenticated.)

However, if a RADIUS-configured dynamic VLAN used for an authentication session is deleted from the switch through normal GVRP operation (for example, if no GVRP advertisements for the VLAN are received on any switch port), authenticated clients using this VLAN are deauthenticated.

N o t e

Any port VLAN-ID changes you make on 802.1X-aware ports during an 802.1X-

 

authenticated session do not take effect until the session ends.

With GVRP enabled, a temporary, untagged static VLAN assignment created on a port by 802.1X authentication is advertised as an existing VLAN. If this temporary VLAN assignment causes the switch to disable a configured (untagged) static VLAN assignment on the port, then the disabled VLAN assignment is not advertised. When the 802.1X session ends, the switch:

Eliminates and ceases to advertise the temporary VLAN assignment.

Re-activates and resumes advertising the temporarily disabled VLAN assignment.

10-72