8-31
Configuring Port-Based Access Control (802.1X)
802.1X Open VLAN Mode
Inspecting 802.1X Open VLAN Mode Operation. For information and
an example on viewing current Open VLAN mode operation, refer to “Viewing
802.1X Open VLAN Mode Status” on page 8-40.
802.1X Open VLAN Operating Notes
■ Although you can configure Open VLAN mode to use the same VLAN
for both the Unauthorized-Client VLAN and the Authorized-Client
VLAN, this is not recommended. Using the same VLAN for both
purposes allows unauthenticated clients access to a VLAN intended
only for authenticated clients, which poses a security breach.
■ While an Unauthorized-Client VLAN is in use on a port, the switch
temporarily removes the port from any other statically configured
VLAN for which that port is configured as a member. Note that the
Menu interface will still display the port’s statically configured
VLAN(s).
■ A VLAN used as the Unauthorized-Client VLAN should not allow
access to resources that must be protected from unauthenticated
clients.
■ If a port is configured as a tagged member of VLAN "X" that is not used
as an Unauthorized-Client, Authorized-Client, or RADIUS-assigned
VLAN, then the port returns to tagged membership in VLAN "X" upon
successful client authentication. This happens even if the RADIUS
server assigns the port to another, authorized VLAN "Y". Note that if
RADIUS assigns VLAN "X" as an authorized VLAN, then the port
becomes an untagged member of VLAN "X" for the duration of the
client connection. After the client disconnects, the port returns to
tagged membership in VLAN "X". (If there is no Authorized-Client or
RADIUS-assigned VLAN, then an authenticated client without tagged
VLAN capability can access only a statically configured, untagged
VLAN on that port.)
■ When a client’s authentication attempt on an Unauthorized-Client
VLAN fails, the port remains a member of the Unauthorized-Client
VLAN until the client disconnects from the port.
■ During an authentication session on a port in 802.1X Open VLAN
mode, if RADIUS specifies membership in an untagged VLAN, this
assignment overrides port membership in the Authorized-Client
VLAN. If there is no Authorized-Client VLAN configured, then the
RADIUS assignment overrides any untagged VLAN for which the port
is statically configured.