Configuring Port-Based and Client-Based Access Control (802.1X)
802.1X Open VLAN Mode
Table 10-2. 802.1X Open VLAN Mode Options
802.1X Per-Port Configuration Port Response
No Open VLAN mode: The port automatically blocks a client that cannot initiate an
authentication session.
Open VLAN mode with both of the following configured:
Unauthorized-Client VLAN • When the port detects a client without 802.1X supplicant
capability, it automatically becomes an untagged member of this
VLAN. If you previously configured the port as a static, tagged
member of the VLAN, membership temporarily changes to
untagged while the client remains unauthenticated.
• If the port already has a statically configured, untagged
membership in another VLAN, then the port temporarily closes
access to this other VLAN while in the Unauthorized-Client VLAN.
• To limit security risks, the network services and access available
on the Unauthorized-Client VLAN should include only what a client
needs to enable an authentication session. If the port is statically
configured as a tagged member of any other VLANs, access to
these VLANs is blocked while the port is a member of the
Unauthorized-Client VLAN.
Note for a 5300xl Port Configured To Allow Multiple Client Sessions:
If any previously authenticated clients are using a port assigned to a
VLAN other than the Unauthorized-Client VLAN, then a later client
that is not running 802.1X supplicant software is blocked on the port
until all other, authenticated clients on the port have disconnected.
Authorized-Client VLAN • After client authentication, the port drops membership in the
Unauthorized-Client VLAN and becomes an untagged member of
this VLAN.
Notes: If the client is running an 802.1X supplicant application
when the authentication session begins, and is able to
authenticate itself before the switch assigns the port to the
Unauthorized-Client VLAN, then the port does not become a
member of the Unauthorized-Client VLAN. (On the 5300xl switches,
you can use the unauth-period
command—page
10-19—to delay
moving the port into the Unauthorized-Client VLAN.)
If RADIUS authentication assigns a VLAN and there are no other
authenticated clients on the port, then the port becomes a member
of the RADIUS-assigned VLAN —instead of the Authorized-Client
VLAN—while the client is connected.
• If the port is statically configured as a tagged member of a VLAN,
and this VLAN is used as the Authorized-Client VLAN, then the port
temporarily becomes an untagged member of this VLAN when the
client becomes authenticated. When the client disconnects, the
port returns to tagged membership in this VLAN.
— Continued on the Next Page —
10-24
To Next Page
Loading...
Need help?
General