Configuring Port-Based Access Control (802.1x)
802.1x Open VLAN Mode
Operating Rules for Authorized-Client and
Unauthorized-Client VLANs
Condition Rule
Static VLANs used as Authorized-
Client or Unauthorized-Client VLANs
VLAN Assignment Received from a
RADIUS Server
Temporary VLAN Membership During
a Client Session
Effect of Unauthorized-Client VLAN
session on untagged port VLAN
membership
Effect of Authorized-Client VLAN
session on untagged port VLAN
membership.
These must be configured on the switch before you configure an
802.1x authenticator port to use them. (Use the vlan < vlan-id >
command or the VLAN Menu screen in the Menu interface.)
If the RADIUS server specifies a VLAN for an authenticated supplicant
connected to an 802.1x authenticator port, this VLAN assignment
overrides any Authorized-Client VLAN assignment configured on the
authenticator port. This is because both VLANs are untagged, and the
switch allows only one untagged VLAN membership per-port. For
example, suppose you configured port A4 to place authenticated
supplicants in VLAN 20. If a RADIUS server authenticates supplicant
"A" and assigns this supplicant to VLAN 50, then the port can access
VLAN 50 for the duration of the client session. When the client discon-
nects from the port, then the port drops these assignments and uses
only the VLAN memberships for which it is statically configured.
• Port membership in a VLAN assigned to operate as the
Unauthorized-Client VLAN is temporary, and ends when the client
receives authentication or the client disconnects from the port,
whichever is first.
• Port membership in a VLAN assigned to operate as the Authorized-
Client VLAN is also temporary, and ends when the client
disconnects from the port.If a VLAN assignment from a RADIUS
server is used instead, the same rule applies.
• When an unauthenticated client connects to a port that is already
configured with a static, untagged VLAN, the switch temporarily
moves the port to the Unauthorized-Client VLAN (also untagged).
(While the Unauthorized-Client VLAN is in use, the port does not
access the static, untagged VLAN.)
• When the client either becomes authenticated or disconnects, the
port leaves the Unauthorized-Client VLAN and reacquires its
untagged membership in the statically configured VLAN.
• When a client becomes authenticated on a port that is already
configured with a static, untagged VLAN, the switch temporarily
moves the port to the Authorized-Client VLAN (also untagged).
While the Authorized-Client VLAN is in use, the port does not have
access to the statically configured, untagged VLAN.
• When the authenticated client disconnects, the switch removes the
port from the Authorized-Client VLAN and moves it back to the
untagged membership in the statically configured VLAN.
6-24
