Configuring Port-Based and Client-Based Access Control (802.1X)
General Operating Rules and Notes
■ 5300xl Switches Only: Where a 5300xl port is configured to accept multi-
ple 802.1X (and/or Web- or MAC-Authentication) client sessions, all
authenticated clients must use the same port-based, untagged VLAN
membership. Thus, on a port where one or more authenticated client
sessions are already running, all such clients will be on the same VLAN.
If a RADIUS server subsequently authenticates a new client, but attempts
to re-assign the port to a different VLAN than the one already in use for
the previously existing, authenticated client sessions, the connection for
the new client will fail. For more on this topic, refer to “802.1X Open VLAN
Mode” on page 10-21.
■ If a port on switch “A” is configured as an 802.1X supplicant and is
connected to a port on another switch, “B”, that is not 802.1X-aware,
access to switch “B” will occur without 802.1X security protection.
■ On a port configured for 802.1X with RADIUS authentication, if the
RADIUS server specifies a VLAN for the supplicant and the port is a trunk
member, the port will be blocked. If the port is later removed from the
trunk, the port will allow authentication of the supplicant. Similarly, if the
supplicant is authenticated and later the port becomes a trunk member,
the port will be blocked. If the port is then removed from the trunk, it will
allow the supplicant to re-authenticate.
■ If a client already has access to a switch port when you configure the port
for 802.1X authenticator operation, the port will block the client from
further network access until it can be authenticated.
■ Meshing is not supported on ports configured for 802.1X port-access
security.
■ A port can be configured as an authenticator or an 802.1X supplicant, or
both. Some configuration instances block traffic flow or allow traffic to
flow without authentication. Refer to “Configuring Switch Ports To Oper-
ate As Supplicants for 802.1X Connections to Other Switches” on page 10-
38.
Not e Use of a port on a 5300xl switch running software release E.09.xx or greater
as an authenticator for a supplicant port on another switch is not recom
-
mended.
■ To help maintain security, 802.1X and LACP cannot both be enabled on
the same port. If you try to configure 802.1X on a port already configured
for LACP (or the reverse) you will see a message similar to the following:
Error configuring port X: LACP and 802.1X cannot be run together.
10-12
To Next Page
Loading...
Need help?
General