Configuring Port-Based and Client-Based Access Control (802.1X)
802.1X Open VLAN Mode
■ Acquiring IP addressing from a DHCP server
■ Downloading the 802.1X supplicant software necessary for an authenti-
cation session
The 802.1X Open VLAN mode solves this problem by temporarily suspending
the port’s static VLAN memberships and placing the port in a designated
Unauthorized-Client VLAN. In this state the client can proceed with initial
-
ization services, such as acquiring IP addressing and 802.1X client software,
and starting the authentication process.
Note for Series On ports configured to allow multiple authenticated client sessions, all clients
5300xl Switches
must use the same VLAN. On a given port where there are no currently active,
Running Software
authenticated clients, the first authenticated client determines the VLAN in
Version E.09.xx or
which the port will operate for all subsequent, overlapping client sessions.
Later
Because unauthenticated clients without 802.1X supplicant software would
use the Unauthorized-Client VLAN and authenticated clients would use a
different VLAN (for security reasons), allowing multiple clients on an 802.1X
port can result in blocking some or all clients needing to use the Unauthorized-
Client VLAN. If both of the following apply to your network, refer to Note for
5300xl Switches Only in the table on page
10-30:
■ The switch operates in an environment where some valid clients will not
be running 802.1X supplicant software and need to download it from your
network.
■ You plan to allow multiple client access on ports configured for 802.1X
operation
VLAN Membership Priorities
Following client authentication, an 802.1X port resumes membership in any
tagged VLANs for which it is already assigned in the switch configuration. The
port also becomes an untagged member of one VLAN according to the follow
-
ing order of options:
a. 1st Priority: The port joins a VLAN to which it has been assigned by
a RADIUS server during client authentication.
b. 2nd Priority: If RADIUS authentication does not include assigning
the port to a VLAN, then the switch assigns the port to the VLAN
entered in the port’s 802.1X configuration as an Authorized-Client
VLAN, if configured.
c. 3rd Priority: If the port does not have an Authorized-Client VLAN
configured, but does have a static, untagged VLAN membership in its
configuration, then the switch assigns the port to this VLAN.
10-22
To Next Page
Loading...
