5-24
Configuring Port-Based Access Control (802.1x)
How 802.1x Authentication Affects VLAN Operation
Note on Supplicant Statistics. For each port configured as a supplicant,
show port-access supplicant statistics [e] < port-list >] displays the source MAC
address and statistics for transactions with the authenticator device most
recently detected on the port. If the link between the supplicant port and the
authenticator device fails, the supplicant port continues to show data from
the connection to the most recent authenticator device until one of the
following occurs:
The supplicant port detects a different authenticator device
You use the aaa port-access supplicant [ e ] < port-list > clear-
statistics command to clear the statistics for the supplicant port
The switch reboots
Thus, if the supplicant’s link to the authenticator fails, the supplicant retains
the most recent transaction statistics until one of the above events occurs.
Also, if you move a link with an authenticator from one supplicant port to
another without clearing the statistics data from the first port, the authentica-
tor’s MAC address will appear in the supplicant statistics for both ports.
How 802.1x Authentication Affects
VLAN Operation
RADIUS authentication for an 802.1x client on a given port can include a
(static) VLAN requirement. (Refer to the documentation provided with your
RADIUS application.)
Static VLAN Requirement
The static VLAN to which a client is assigned must already exist on the switch.
If it does not exist or is a dynamic VLAN (created by GVRP), authentication
fails. Also, for the session to proceed, the port must be an untagged member
of the required VLAN. If it is not, the switch temporarily reassigns the port as
described below.
If the Port Used by the Client Is Not Configured as an Untagged
Member of the Required Static VLAN: When a client is authenticated on
port "N", if port "N" is not already configured as an untagged member of the
static VLAN specified by the RADIUS server, then the switch temporarily
assigns port "N" as an untagged member of the required VLAN (for the duration
of the 802.1x session). At the same time, if port "N" is already configured as
!FishSecurity.book Page 24 Thursday, October 10, 2002 9:19 PM
To Next Page
Loading...
Need help?
General
