Configuring Port-Based Access Control (802.1x)
802.1x Open VLAN Mode
1. 1st Priority: The port joins a VLAN to which it has been assigned by a
RADIUS server during authentication.
2. 2nd Priority: If RADIUS authentication does not include assigning the
port to a VLAN, then the switch assigns the port to the VLAN entered in
the port’s 802.1x configuration as an Authorized-Client VLAN, if config-
ured.
3. 3rd Priority: If the port does not have an Authorized-Client VLAN
configured, but does have a static, untagged VLAN membership in its
configuration, then the switch assigns the port to this VLAN.
If the port is not configured for any of the above, then it must be a tagged
member of at least one static VLAN. If the client is capable of operating with
that tagged VLAN, then it r eceives access to the VLAN. Otherwise, the
connection fails.
Note After client authentication, the port resumes membership in any tagged
VLANs for which it is configured. If the port belongs to a tagged VLAN used
for 1 or 2 above, then it operates as an untagged member of that VLAN while
the client is connected. When the client disconnects, the port reverts to tagged
membership in the VLAN.
Use Models for 802.1x Open VLAN Modes
You can apply the 802.1x Open VLAN mode in more than one way. Depending
on your use, you will need to create one or two static VLANs on the switch for
exclusive use by per-port 802.1x Open VLAN mode authentication:
â– Unauthorized-Client VLAN: Configure this VLAN when unauthen-
ticated, friendly clients will need access to some services before being
authenticated.
â– Authorized-Client VLAN: Configure this VLAN for authenticated
clients when the port is not statically configured as an untagged
member of a VLAN you want clients to use, or when the port is
statically configured as an untagged member of a VLAN you do not
want clients to use. (A port can be configured as untagged on only
one VLAN. When an Authorized-Client VLAN is configured, it will
always be untagged and will block the port from using a statically
configured, untagged membership in another VLAN.) Note that after
client authentication, the port returns to membership in any tagged
VLANs for which you have configured it. See the "Note", above.
8-21
To Next Page
Loading...
Need help?
General