13-42
Configuring Port-Based and User-Based Access Control (802.1X)
802.1X Open VLAN Mode
Note If you use the same VLAN as the Unauthorized-Client VLAN for all authenti-
cator ports, unauthenticated clients on different ports can communicate with
each other.
Setting Up and Configuring 802.1X Open VLAN Mode
Preparation. This section assumes use of both the Unauthorized-Client and
Authorized-Client VLANs. Refer to Table 13-1 on page 13-35 for other options.
Before you configure the 802.1X Open VLAN mode on a port:
■ Statically configure an “Unauthorized-Client VLAN” in the switch. The
only ports that should belong to this VLAN are ports offering services and
access you want available to unauthenticated clients. (802.1X authentica-
tor ports do not have to be members of this VLAN.)
Caution Do not allow any port memberships or network services on this VLAN that
would pose a security risk if exposed to an unauthorized client.
Note: Limitation on Using an
Unauthorized-Client VLAN on an
802.1X Port Configured to Allow
Multiple-Client Access
You can optionally enable switches to allow up to 32 clients per-port.
The Unauthorized-Client VLAN feature can operate on an 802.1X-
configured port regardless of how many clients the port is configured
to support. However, all clients on the same port must operate through
the same untagged VLAN membership (unless MAC-based VLANs are
enabled. Please see “MAC-Based VLANs” on page 6-52). This means
that any client accessing a given port must be able to authenticate
and operate on the same VLAN as any other previously authenticated
clients that are currently using the port. Thus, an Unauthorized-Client
VLAN configured on a switch port that allows multiple 802.1X clients
cannot be used if there is already an authenticated client using the
port on another VLAN. Also, a client using the Unauthenticated-Client
VLAN will be blocked when another client becomes authenticated on
the port. For this reason, the best utilization of the Unauthorized-Client
VLAN feature is in instances where only one client is allowed per-port.
Otherwise, unauthenticated clients are subject to being blocked at
any time by authenticated clients using a different VLAN. (Using the
same VLAN for authenticated and unauthenticated clients can create
a security risk and is not recommended.)
Condition Rule
To Next Page
Loading...
Need help?
General
