Configuring Port-Based and Client-Based Access Control (802.1X)

 

802.1X Open VLAN Mode

Table 8-1. 802.1X Open VLAN Mode Options

 

 

802.1X Per-Port ConfigurationPort Response

 

 

No Open VLAN mode:

The port automatically blocks a client that cannot initiate an

 

authentication session.

Open VLAN mode with both of the following configured:

Unauthorized-Client VLAN

• When the port detects a client, it automatically becomes an

 

untagged member of this VLAN. If you previously configured the

 

port as a static, tagged member of the VLAN, membership

 

temporarily changes to untagged while the client remains

 

unauthenticated.

 

• If the port already has a statically configured, untagged

 

membership in another VLAN, then the port temporarily closes

 

access to this other VLAN while in the Unauthorized-Client VLAN.

 

• To limit security risks, the network services and access available

 

on the Unauthorized-Client VLAN should include only what a client

 

needs to enable an authentication session. If the port is statically

 

configured as a tagged member of any other VLANs, access to

 

these VLANs is blocked while the port is a member of the

 

Unauthorized-Client VLAN.

 

 

Authorized-Client VLAN

• After the client is authenticated, the port drops membership in the

 

Unauthorized-Client VLAN and becomes an untagged member of

 

this VLAN.

 

Note: if RADIUS authentication assigns a VLAN, the port

 

temporarily becomes a member of the RADIUS-assigned VLAN —

 

instead of the Authorized-Client VLAN—while the client is

 

connected.

 

• If the port is statically configured as a tagged member of a VLAN,

 

and this VLAN is used as the Authorized-Client VLAN, then the port

 

temporarily becomes an untagged member of this VLAN when the

 

client becomes authenticated. When the client disconnects, the

 

port returns to tagged membership in this VLAN.

 

• If the port is statically configured as a tagged member of a VLAN

 

that is not used by 802.1X Open VLAN mode, the port returns to

 

tagged membership in this VLAN upon successful authentication.

 

This happens even if the RADIUS server assigns the port to

 

another, authorized VLAN. If the port is already configured as a

 

tagged member of a VLAN that RADIUS assigns as an authorized

 

VLAN, then the port becomes an untagged member of that VLAN

 

for the duration of the client connection. After the client

 

disconnects, the port returns to tagged membership in that VLAN.

8-29