Configuring Port-Based and Client-Based Access Control (802.1X)
802.1X Open VLAN Mode
Inspecting 802.1X Open VLAN Mode Operation. For information and
an example on viewing current Open VLAN mode operation, refer to
“Viewing
802.1X Open VLAN Mode Status” on page 10-44.
802.1X Open VLAN Operating Notes
■ Although you can configure Open VLAN mode to use the same VLAN for
both the Unauthorized-Client VLAN and the Authorized-Client VLAN, this
is not recommended. Using the same VLAN for both purposes allows
unauthenticated clients access to a VLAN intended only for authenticated
clients, which poses a security breach.
■ While an Unauthorized-Client VLAN is in use on a port, the switch tempo-
rarily removes the port from any other statically configured VLAN for
which that port is configured as a member. Note that the Menu interface
will still display the port’s statically configured VLAN(s).
■ A VLAN used as the Unauthorized-Client VLAN should not allow access
to resources that must be protected from unauthenticated clients.
■ If a port is configured as a tagged member of VLAN “X” that is not used
as an Unauthorized-Client, Authorized-Client, or RADIUS-assigned VLAN,
then the port returns to tagged membership in VLAN “X” upon successful
client authentication. This happens even if the RADIUS server assigns the
port to another, authorized VLAN “Y”. Note that if RADIUS assigns VLAN
“X” as an authorized VLAN, then the port becomes an untagged member
of VLAN “X” for the duration of the client connection. After the client
disconnects, the port returns to tagged membership in VLAN “X”. (If there
is no Authorized-Client or RADIUS-assigned VLAN, then an authenticated
client without tagged VLAN capability can access only a statically config-
ured, untagged VLAN on that port.)
■ When a client’s authentication attempt on an Unauthorized-Client VLAN
fails, the port remains a member of the Unauthorized-Client VLAN until
the client disconnects from the port.
■ During an authentication session on a port in 802.1X Open VLAN mode,
if RADIUS specifies membership in an untagged VLAN, this assignment
overrides port membership in the Authorized-Client VLAN. If there is no
Authorized-Client VLAN configured, then the RADIUS assignment over-
rides any untagged VLAN for which the port is statically configured.
■ If the only authenticated client on a port loses authentication during a
session in 802.1X Open VLAN mode, the port VLAN membership reverts
back to the Unauthorized-Client VLAN. If there is no Unauthorized-Client
VLAN configured, then the client loses access to the port until it can
reauthenticate itself. If the switch is a 5300xl running E.09.xx or greater
10-35
To Next Page
Loading...
Need help?
General