Configuring Port-Based and Client-Based Access Control (802.1X)
802.1X Open VLAN Mode
802.1X Per-Port Configuration Port Response
Authorized-Client VLAN • If the port is statically configured as a tagged member of a VLAN
(Continued)
that is not used by 802.1X Open VLAN mode, the port returns to
tagged membership in this VLAN upon successful authentication.
This happens even if the RADIUS server assigns the port to
another, authorized VLAN. If the port is already configured as a
tagged member of a VLAN that RADIUS assigns as an authorized
VLAN, then the port becomes an untagged member of that VLAN
for the duration of the client connection. After the client
disconnects, the port returns to tagged membership in that VLAN.
Open VLAN Mode with Only an Unauthorized-Client VLAN Configured:
• When the port detects a client, it automatically becomes an
untagged member of this VLAN. To limit security risks, the network
services and access available on this VLAN should include only
what a client needs to enable an authentication session. If the port
is statically configured as an untagged member of another VLAN,
the switch temporarily removes the port from membership in this
other VLAN while membership in the Unauthorized-Client VLAN
exists.
• After the client is authenticated, and if the port is statically
configured as an untagged member of another VLAN, the port’s
access to this other VLAN is restored.
Note: If RADIUS authentication assigns the port to a VLAN, this
assignment overrides any statically configured, untagged VLAN
membership on the port (while the client is connected).
• If the port is statically configured as a tagged member of a VLAN
that is not used by 802.1X Open VLAN mode, the port returns to
tagged membership in this VLAN upon successful client
authentication. This happens even if the RADIUS server assigns
the port to another, authorized VLAN. Note that if the port is
already configured as a tagged member of a VLAN that RADIUS
assigns as an authorized VLAN, then the port becomes an
untagged member of that VLAN for the duration of the client
connection. After the client disconnects, the port returns to
tagged membership in that VLAN.
Note for a 5300xl Port Configured To Allow Multiple Client Sessions:
If any previously authenticated clients are using a port assigned to a
VLAN other than the Unauthorized-Client VLAN (such as a RADIUS-
assigned VLAN), then a later client that is not running 802.1X
supplicant software is blocked on the port until all other,
authenticated clients on the port have disconnected. Refer to figure
10-1 on page 10-10. (Multiple 802.1X client sessions is available with
software release E.09.xx and greater.)
10-25
To Next Page
Loading...
