Configuring Port-Based and Client-Based Access Control (802.1X)
General Operating Rules and Notes
General Operating Rules and Notes
■ In the client-based mode, when there is an authenticated client on a port,
the following traffic movement is allowed:
• Multicast and broadcast traffic is allowed on the port.
• Unicast traffic to authenticated clients on the port is allowed.
• All traffic from authenticated clients on the port is allowed.
■ When a port on the switch is configured as either an authenticator or
supplicant and is connected to another device, rebooting the switch
causes a re-authentication of the link.
■ Using client-based 802.1X authentication, when a port on the switch is
configured as an authenticator the port allows only authenticated clients
up to the currently configured client limit.
For clients that do not have the proper 802.1X supplicant software, the
optional 802.1X Open VLAN mode can be used to open a path for down-
loading 802.1X supplicant software to a client or to provide other services
for unauthenticated clients. Refer to
“802.1X Open VLAN Mode” on
page 10-24.)
■ Using port-based 802.1X authentication, When a port on the switch is
configured as an authenticator, one authenticated client opens the port.
Other clients that are not running an 802.1X supplicant application can
have access to the switch and network through the opened port. If another
client uses an 802.1X supplicant application to access the opened port,
then a re-authentication occurs using the RADIUS configuration response
for the latest client to authenticate. To control access by all clients, use
the client-based method.
■ Where a switch port is configured with client-based authentication to
accept multiple 802.1X (and/or Web- or MAC-Authentication) client ses-
sions, all authenticated clients must use the same port-based, untagged
VLAN membership assigned for the earliest, currently active client ses-
sion. Thus, on a port where one or more authenticated client sessions are
already running, all such clients will be on the same untagged VLAN. If a
RADIUS server subsequently authenticates a new client, but attempts to
re-assign the port to a different, untagged VLAN than the one already in
use for the previously existing, authenticated client sessions, the connec-
tion for the new client will fail. For more on this topic, refer to
“802.1X
Open VLAN Mode” on page 10-24. (Note that if the port is statically
configured with any tagged VLAN memberships, any authenticated client
configured to use these tagged VLANs will have access to them.)
10-12
To Next Page
Loading...
Need help?
General
