13-33
Configuring Port-Based and User-Based Access Control (802.1X)
802.1X Open VLAN Mode
On ports configured for port-based 802.1X access control, if multiple clients 
try to authenticate on the same port, the most recently authenticated client 
determines the untagged VLAN membership for that port. Clients that connect 
without trying to authenticate will have access to the untagged VLAN mem-
bership that is currently assigned to the port.
VLAN Membership Priorities
Following client authentication, an 802.1X port resumes membership in any 
tagged VLANs for which it is already assigned in the switch configuration. The 
port also becomes an untagged member of one VLAN according to the follow-
ing order of options: 
a. 1st Priority: The port joins a VLAN to which it has been assigned by 
a RADIUS server during client authentication.
b. 2nd Priority: If RADIUS authentication does not include assigning 
the port to a VLAN, then the switch assigns the port to the VLAN 
entered in the port’s 802.1X configuration as an Authorized-Client 
VLAN, if configured.
c. 3rd Priority: If the port does not have an Authorized-Client VLAN 
configured, but does have a static, untagged VLAN membership in its 
configuration, then the switch assigns the port to this VLAN.
A port assigned to a VLAN by an Authorized-Client VLAN configuration 
(or a RADIUS server) will be an untagged member of the VLAN for the 
duration of the authenticated session. This applies even if the port is also 
configured in the switch as a tagged member of the same VLAN. 
Note After client authentication, the port resumes membership in any tagged 
VLANs for which it is configured. If the port is a tagged member of a VLAN 
used for 1 or 2 listed above, then it also operates as an untagged member of 
that VLAN while the client is connected. When the client disconnects, the port 
reverts to tagged membership in the VLAN.
Use Models for 802.1X Open VLAN Modes
You can apply the 802.1X Open VLAN mode in more than one way. Depending 
on your use, you will need to create one or two static VLANs on the switch for 
exclusive use by per-port 802.1X Open VLAN mode authentication: