8-39
Configuring Port-Based and Client-Based Access Control (802.1X)
802.1X Open VLAN Mode
■ If a port is configured as a tagged member of VLAN “X” that is not
used as an Unauthorized-Client, Authorized-Client, or RADIUS-
assigned VLAN, then the port returns to tagged membership in VLAN
“X” upon successful client authentication. This happens even if the
RADIUS server assigns the port to another, authorized VLAN “Y”.
Note that if RADIUS assigns VLAN “X” as an authorized VLAN, then
the port becomes an untagged member of VLAN “X” for the duration
of the client connection. After the client disconnects, the port returns
to tagged membership in VLAN “X”. (If there is no Authorized-Client
or RADIUS-assigned VLAN, then an authenticated client without
tagged VLAN capability can access only a statically configured,
untagged VLAN on that port.)
■ When a client’s authentication attempt on an Unauthorized-Client
VLAN fails, the port remains a member of the Unauthorized-Client
VLAN until the client disconnects from the port.
■ During an authentication session on a port in 802.1X Open VLAN
mode, if RADIUS specifies membership in an untagged VLAN, this
assignment overrides port membership in the Authorized-Client
VLAN. If there is no Authorized-Client VLAN configured, then the
RADIUS assignment overrides any untagged VLAN for which the port
is statically configured.
■ If the only authenticated client on a port loses authentication during a
session in 802.1X Open VLAN mode, the port VLAN membership reverts
back to the Unauthorized-Client VLAN. If there is no Unauthorized-Client
VLAN configured, then the client loses access to the port until it can
reauthenticate itself. If there are multiple clients authenticated on the
port, if one client loses access and attempts to re-authenticate, that client
will be handled as a new client on the port.
■ The first client to authenticate on a port configured to support multiple
clients will determine the port’s VLAN membership for any subsequent
clients that authenticate while an active session is already in effect.
To Next Page
Loading...
Need help?
General