General features

802.1X on the switches covered in this guide includes the following:

  • Switch operation as both an authenticator (for supplicants having a point-to-point connection to the switch) and as a supplicant for point-to-point connections to other 802.1X-aware switches.

    • Authentication of 802.1X access using a RADIUS server and either the EAP or CHAP protocol.

    • Provision for enabling clients that do not have 802.1 supplicant software to use the switch as a path for downloading the software and initiating the authentication process (802.1X Open VLAN mode).

    • User-Based access control option with support for up to 32 authenticated clients per-port.

    • Port-Based access control option allowing authentication by a single client to open the port. This option does not force a client limit and, on a port opened by an authenticated client, allows unlimited client access without requiring further authentication.

    • Supplicant implementation using CHAP authentication and independent user credentials on each port.

  • The local operator password configured with the password command for management access to the switch is no longer accepted as an 802.1X authenticator credential. The password port-access command configures the local operator username and password used as 802.1X authentication credentials for access to the switch. The values configured can be stored in a configuration file using the include-credentials command. For information about the password port-access command, see General setup procedure for 802.1X access control.

  • On-demand change of a port’s configured VLAN membership status to support the current client session.

  • Session accounting with a RADIUS server, including the accounting update interval.

  • Use of show commands to display session counters.

  • Support for concurrent use of 802.1X and either Web authentication or MAC authentication on the same port.

  • For unauthenticated clients that do not have the necessary 802.1X supplicant software (or for other reasons related to unauthenticated clients), there is the option to configure an Unauthorized-Client VLAN. This mode allows you to assign unauthenticated clients to an isolated VLAN through which you can provide the necessary supplicant software and/or other services you want to extend to these clients.