Configuring Port-Based and Client-Based Access Control (802.1X)

 

802.1X Open VLAN Mode

 

 

Note

On ports configured to allow multiple sessions using 802.1X client-based

 

access control, all clients must use the same untagged VLAN. On a given port

 

where there are no currently active, authenticated clients, the first authenti-

 

cated client determines the untagged VLAN in which the port will operate for

 

all subsequent, overlapping client sessions.

 

If the switch operates in an environment where some valid clients will not be

 

running 802.1X supplicant software and need to download it from your

 

network. Then, because such clients would need to use the Unauthorized-

 

Client VLAN and authenticated clients would be using a different VLAN (for

 

security reasons), allowing multiple clients on an 802.1X port can result in

 

blocking some or all clients needing to use the Unauthorized-Client VLAN.

 

On ports configured for port-based 802.1X access control, if multiple clients

 

try to authenticate on the same port, the most recently authenticated client

 

determines the untagged VLAN membership for that port. Clients that connect

 

without trying to authenticate will have access to the untagged VLAN mem-

 

bership that is currently assigned to the port.

 

 

VLAN Membership Priorities

Following client authentication, an 802.1X port resumes membership in any tagged VLANs for which it is already assigned in the switch configuration. The port also becomes an untagged member of one VLAN according to the following order of options:

1.1st Priority: The port joins a VLAN to which it has been assigned by a RADIUS server during authentication.

2.2nd Priority: If RADIUS authentication does not include assigning the port to a VLAN, then the switch assigns the port to the VLAN entered in the port’s 802.1X configuration as an Authorized-ClientVLAN, if config- ured.

3.3rd Priority: If the port does not have an Authorized-Client VLAN configured, but does have a static, untagged VLAN membership in its configuration, then the switch assigns the port to this VLAN.

A port assigned to a VLAN by an Authorized-Client VLAN configuration (or a RADIUS server) will be an untagged member of the VLAN for the duration of the authenticated session. This applies even if the port is also configured in the switch as a tagged member of the same VLAN.

8-27