Not e
Configuring Port-Based and Client-Based Access Control (802.1X)
General 802.1X Authenticator Operation
5300xl switches running software release E.09.xx or greater use the extended
802.1X client-based authentication. 3400cl and 6400cl switches (and 5300xl
switches running a software version earlier than E.09.xx) use 802.1X port-
based authentication. For more information, refer to
“User Authentication
Methods” on page 10-4.
VLAN Membership Priority
Following client authentication, an 802.1X port resumes membership in any
tagged VLANs for which it is already assigned in the switch configuration. The
port also becomes an untagged member of one VLAN according to the follow
-
ing order of options:
a. 1st Priority: The port joins a VLAN to which it has been assigned by
a RADIUS server during client authentication.
b. 2nd Priority: If RADIUS authentication does not include assigning
the port to a VLAN, then the switch assigns the port to the VLAN
entered in the port’s 802.1X configuration as an Authorized-Client
VLAN, if configured.
c. 3rd Priority: If the port does not have an Authorized-Client VLAN
configured, but does have a static, untagged VLAN membership in its
configuration, then the switch assigns the port to this VLAN.
A port assigned to a VLAN by an Authorized-Client VLAN configuration
(or a RADIUS server) will be an untagged member of the VLAN for the
duration of the authenticated session. This applies even if the port is also
configured in the switch as a tagged member of the same VLAN.
Note that 3400cl and 6400cl switches (and 5300xl switches running a
software release earlier than E.09.xx) handle the presence of a previously
authenticated client on a port differently than 5300xl switches running
software release E.09.xx or greater. Refer to
“User Authentication Meth-
ods” on page 10-4.
Note for 5300xl On 5300xl switches running software release E.09.xx or greater, using the
Switches
same port for both RADIUS-assigned clients and clients using a config
-
ured, Authorized-Client VLAN is not recommended. This is because doing
so can result in authenticated clients with mutually exclusive VLAN
priorities, which means that some authenticated clients can be denied
access to the port. Refer to figure
10-1 on page 10-10.
10-9
To Next Page
Loading...
Need help?
General