8-21
Configuring Port-Based Access Control (802.1X)
802.1X Open VLAN Mode
802.1X Open VLAN Mode
This section describes how to use the 802.1X Open VLAN mode to configure
unauthorized-client and authorized-client VLANs on ports configured as
802.1X authenticators.
Introduction
Configuring the 802.1X Open VLAN mode on a port changes how the port
responds when it detects a new client. In earlier releases, a “friendly” client
computer not running 802.1X supplicant software could not be authenticated
on a port protected by 802.1X access security. As a result, the port would
become blocked and the client could not access the network. This prevented
the client from:
■ Acquiring IP addressing from a DHCP server
■ Downloading the 802.1X supplicant software necessary for an authen-
tication session
The 802.1X Open VLAN mode solves this problem by temporarily suspending
the port’s static, tagged and untagged VLAN memberships and placing the port
in a designated Unauthorized-Client VLAN. In this state the client can
proceed with initialization services, such as acquiring IP addressing and
802.1X software, and starting the authentication process. Following client
authentication, the port drops its temporary (untagged) membership in the
Unauthorized-Client VLAN and joins (or rejoins) one of the following as an
untagged member:
802.1X Authentication Commands page 8-15
802.1X Supplicant Commands page 8-35
802.1X Open VLAN Mode Commands
[no] aaa port-access authenticator [e] < port-list > page 8-30
[auth-vid < vlan-id >]
[unauth-vid < vlan-id >]
802.1X-Related Show Commands page 8-38
RADIUS server configuration pages 8-20