Configuring Port-Based Access Control (802.1x)
How RADIUS/802.1x Authentication Affects VLAN Operation
supplicant port to another without clearing the statistics data from the first
port, the authenticator’s MAC address will appear in the supplicant statistics
for both ports.
How RADIUS/802.1x Authentication
Affects VLAN Operation
RADIUS authentication for an 802.1x client on a given port can include a
(static) VLAN requirement. (Refer to the documentation provided with your
RADIUS application.)
Static VLAN Requirement
The static VLAN to which a RADIUS server assigns a client must already exist
on the switch. If it does not exist or is a dynamic VLAN (created by GVRP),
authentication fails. Also, for the session to proceed, the port must be an
untagged member of the required VLAN. If it is not, the switch temporarily
reassigns the port as described below.
If the Port Used by the Client Is Not Configured as an Untagged
Member of the Required Static VLAN: When a client is authenticated on
port "N", if port "N" is not already configured as an untagged member of the
static VLAN specified by the RADIUS server, then the switch temporarily
assigns port "N" as an untagged member of the required VLAN (for the duration
of the 802.1x session). At the same time, if port "N" is already configured as
an untagged member of another VLAN, port "N" loses access to that other
VLAN for the duration of the session. (This is because a port can be an
untagged member of only one VLAN at a time.)
6-43
