Configuring Port-Based and Client-Based Access Control (802.1X)
802.1X Open VLAN Mode
Operating Rules for Authorized-Client
and Unauthorized-Client VLANs
Condition Rule
Static VLANs used as Authorized- These must be configured on the switch before you configure an
Client or Unauthorized-Client VLANs 802.1X authenticator port to use them. (Use the vlan < vlan-id >
command or the VLAN Menu screen in the Menu interface.)
VLAN Assignment Received from a
RADIUS Server
If the RADIUS server specifies a VLAN for an authenticated supplicant
connected to an 802.1X authenticator port, this VLAN assignment
overrides any Authorized-Client VLAN assignment configured on the
authenticator port. This is because membership in both VLANs is
untagged, and the switch allows only one untagged, port-based VLAN
membership per-port. For example, suppose you configured port A4
to place authenticated supplicants in VLAN 20. If a RADIUS server
authenticates supplicant “A” and assigns this supplicant to VLAN 50,
then the port can access VLAN 50 as an untagged member while the
client session is running. When the client disconnects from the port,
then the port drops these assignments and uses the untagged VLAN
memberships for which it is statically configured. (After client authen
-
tication, the port resumes any tagged VLAN memberships for which it
is already configured. For details, refer to the Note on page 10-23.)
Temporary VLAN Membership • Port membership in a VLAN assigned to operate as the
During a Client Session
Unauthorized-Client VLAN is temporary, and ends when the client
receives authentication or the client disconnects from the port,
whichever is first. In the case of the multiple clients allowed on
5300xl switches running software release E.09.xx or greater, the
first client to authenticate determines the untagged VLAN
membership for the port until all clients have disconnected. Any
other clients that cannot operate in that VLAN are blocked at that
point.
• Port membership in a VLAN assigned to operate as the Authorized-
Client VLAN ends when the client disconnects from the port.If a
VLAN assignment from a RADIUS server is used instead, the same
rule applies. In the case of the multiple clients allowed on 5300xl
switches running software release E.09.xx or greater, the port
maintains the same VLAN as long as there is any authenticated
client using the VLAN. When the last client disconnects, then the
port reverts to only the VLAN(s) for which it is statically configured
as a member.
10-27
To Next Page
Loading...
Need help?
General