13-77
Configuring Port-Based and User-Based Access Control (802.1X)
How RADIUS/802.1X Authentication Affects VLAN Operation
Note Any port VLAN-ID changes you make on 802.1X-aware ports during an 802.1X-
authenticated session do not take effect until the session ends.
With GVRP enabled, a temporary, untagged static VLAN assignment created
on a port by 802.1X authentication is advertised as an existing VLAN. If this
temporary VLAN assignment causes the switch to disable a configured
(untagged) static VLAN assignment on the port, then the disabled VLAN
assignment is not advertised. When the 802.1X session ends, the switch:
■ Eliminates and ceases to advertise the temporary VLAN assignment.
■ Re-activates and resumes advertising the temporarily disabled VLAN
assignment.
3. If you disable the use of dynamic VLANs in an
authentication session using the no aaa port-access gvrp-vlans
command, client sessions that were authenticated with a
dynamic VLAN continue and are not deauthenticated.
(This behavior differs form how static VLAN assignment is
handled in an authentication session. If you remove the
configuration of the static VLAN used to create a temporary
client session, the 802.1X, MAC, or Web authenticated client
is deauthenticated.)
However, if a RADIUS-configured dynamic VLAN used for
an authentication session is deleted from the switch through
normal GVRP operation (for example, if no GVRP
advertisements for the VLAN are received on any switch
port), authenticated clients using this VLAN are
deauthenticated.
To Next Page
Loading...
