Configuring Port-Based and Client-Based Access Control (802.1X)
802.1X Open VLAN Mode
Condition Rule
Effect of Failed Client Authentication
Attempt
5300xl Running Software Release E.09.xx
or Greater: This rule assumes no other
authenticated clients are already using
the port on a different VLAN.
When there is an Unauthorized-Client VLAN configured on an 802.1X
authenticator port, an unauthorized client connected to the port has
access only to the network resources belonging to the Unauthorized-
Client VLAN. This access continues until the client disconnects from
the port. (If there is no Unauthorized-Client VLAN configured on the
authenticator port, the port simply blocks access for any unauthorized
client.)
Effect of RADIUS-assigned VLAN The port joins the RADIUS-assigned VLAN as an untagged member.
5300xl Running Software Release E.09.xx
or Greater: This rule assumes no other
authenticated clients are already using
the port on a different VLAN.
IP Addressing for a Client Connected
to a Port Configured for 802.x Open
VLAN Mode
802.1X Supplicant Software for a
Client Connected to a Port Configured
for 802.1X Open VLAN Mode
A client can either acquire an IP address from a DHCP server or use
a manually configured IP address before connecting to the switch.
A friendly client, without 802.1X supplicant software, connecting to an
authenticator port must be able to download this software from the
Unauthorized-Client VLAN before authentication can begin.
5300xl Running Software Release When a new client is authenticated on a given port:
E.09.xx or Greater, with a Port
• If no other clients are authenticated on that port, then the port joins
Configured To Allow Multiple one VLAN in the following order of precedence:
Authorized-Client Sessions
a. A RADIUS-assigned VLAN, if configured.
b. An Authenticated-Client VLAN, if configured.
c. A static, port-based VLAN to which the port belongs as an
untagged member.
d. Any VLAN(s) to which the port is configured as a tagged
member (provided that the client can operate in that VLAN).
• If another client is already authenticated on the port, then the port
is already assigned to a VLAN for the previously-existing client
session, and the new client must operate in this same VLAN,
regardless of other factors. (This means that a client without 802.1X
client authentication software cannot access a configured,
Unauthenticated-Client VLAN if another, authenticated client is
already using the port.)
10-29
To Next Page
Loading...
Need help?
General