8-13
Configuring Port-Based and Client-Based Access Control (802.1X)
General Operating Rules and Notes
■ Using port-based 802.1X authentication, when a port on the switch is
configured as an authenticator, one authenticated client opens the
port. Other clients that are not running an 802.1X supplicant applica-
tion can have access to the switch and network through the opened
port. If another client uses an 802.1X supplicant application to access
the opened port, then a re-authentication occurs using the RADIUS
configuration response for the latest client to authenticate. To control
access by all clients, use the client-based method.
■ If a port on switch “A” is configured as an 802.1X supplicant and is
connected to a port on another switch, “B”, that is not 802.1X-aware,
access to switch “B” will occur without 802.1X security protection.
■ You can configure a port as both an 802.1X authenticator and an
802.1X supplicant.
■ If a port on switch “A” is configured as both an 802.1X authenticator
and supplicant and is connected to a port on another switch, “B”, that
is not 802.1X-aware, access to switch “B” will occur without 802.1X
security protection, but switch “B” will not be allowed access to
switch “A”.
■ If a client already has access to a switch port when you configure the
port for 802.1X authenticator operation, the port will block the client
from further network access until it can be authenticated.
■ On a port configured for 802.1X with RADIUS authentication, if the
RADIUS server specifies a VLAN for the supplicant and the port is a
trunk member, the port will be blocked. If the port is later removed
from the trunk, the port will try to authenticate the supplicant. If
authentication is successful, the port becomes unblocked. Similarly,
if the supplicant is authenticated and later the port becomes a trunk
member, the port will be blocked. If the port is then removed from
the trunk, it tries to re-authenticate the supplicant. If successful, the
port becomes unblocked.
■ To help maintain security, 802.1X and LACP cannot both be enabled
on the same port. If you try to configure 802.1X on a port already
configured for LACP (or the reverse) you will see a message similar
to the following:
Error configuring port X: LACP and 802.1X cannot be run together.
Note on 802.1X
and LACP
To help maintain security, the switch does not allow 802.1X and LACP to both
be enabled at the same time on the same port. Refer to “Messages Related to
802.1X Operation” on page 8-58
To Next Page
Loading...
Need help?
General