Operating rules for authorized and unauthorized-client VLANs

Condition for authorized client and unauthorized client VLANs

Condition

Rule

Static VLANs used as authorized-client or unauthorized-client VLANs

These must be configured on the switch before you configure an 802.1X authenticator port to use them. (Use the vlan <vlan-id> command or the VLAN Menu screen in the Menu interface.)

VLAN assignment received from a RADIUS server

If the RADIUS server specifies a VLAN for an authenticated supplicant connected to an 802.1X authenticator port, this VLAN assignment overrides any Authorized-Client VLAN assignment configured on the authenticator port. This is because membership in both VLANs is untagged, and the switch allows only one untagged, port-based VLAN membership per-port. For example, suppose you configured port A4 to place authenticated supplicants in VLAN 20. If a RADIUS server authenticates supplicant “A” and assigns this supplicant to VLAN 50, then the port can access VLAN 50 as an untagged member while the client session is running. When the client disconnects from the port, then the port drops these assignments and uses the untagged VLAN memberships for which it is statically configured. (After client authentication, the port resumes any tagged VLAN memberships for which it is already configured.

Temporary VLAN membership during a client session

  • Port membership in a VLAN assigned to operate as the Unauthorized-Client VLAN is temporary, and ends when the client receives authentication or the client disconnects from the port, whichever is first. In the case of the multiple clients allowed on switches covered in this guide, the first client to authenticate determines the untagged VLAN membership for the port until all clients have disconnected. Any other clients that cannot operate in that VLAN are blocked at that point.

  • Port membership in a VLAN assigned to operate as the Authorized-Client VLAN ends when the client disconnects from the port. If a VLAN assignment from a RADIUS server is used instead, the same rule applies. In the case of the multiple clients allowed on switches, the port maintains the same VLAN as long as there is any authenticated client using the VLAN. When the last client disconnects, then the port reverts to only the VLAN(s) for which it is statically configured as a member.

Effect of unauthorized-client VLAN session on untagged port VLAN membership

  • When an unauthenticated client connects to a port that is already configured with a static, untagged VLAN, the switch temporarily moves the port to the Unauthorized-Client VLAN (also untagged). (While the Unauthorized-Client VLAN is in use, the port does not access any other VLANs.)

  • If the client disconnects, the port leaves the Unauthorized-Client VLAN and re-acquires membership in all the statically configured VLANs to which it belongs.

  • If the client becomes authenticated, the port leaves the Unauthenticated-Client VLAN and joins the appropriate VLAN. See VLAN membership priorities.

  • In the case of the multiple clients allowed on switches, if an authenticated client is already using the port for a different VLAN, then any other unauthenticated clients needing to use the Unauthorized-Client VLAN are blocked.

Effect of authorized-client VLAN session on untagged port VLAN membership.

  • When a client becomes authenticated on a port that is already configured with a static, untagged VLAN, the switch temporarily moves the port to the Authorized-Client VLAN (also untagged). While the Authorized-Client VLAN is in use, the port does not have access to the statically configured, untagged VLAN.

  • When the authenticated client disconnects, the switch removes the port from the Authorized-Client VLAN and moves it back to the untagged membership in the statically configured VLAN. (After client authentication, the port resumes any tagged VLAN memberships for which it is already configured.

NOTE:
This rule assumes:
  • No alternate VLAN has been assigned by a RADIUS server.

  • No other authenticated clients are already using the port.

Multiple authenticator ports using the same unauthorized-client and authorized-client VLANs

You can use the same static VLAN as the Unauthorized-Client VLAN for all 802.1X authenticator ports configured on the switch. Similarly, you can use the same static VLAN as the Authorized-Client VLAN for all 802.1X authenticator ports configured on the switch.
CAUTION:

Do not use the same static VLAN for both the unauthorized-client VLAN and the authorized-client VLAN. Using one VLAN for both creates a security risk by defeating the isolation of unauthenticated clients.

Effect of filed client authentication attemptThis rule assumes no other authenticated clients are already using the port on a different VLAN.

When there is an Unauthorized-Client VLAN configured on an 802.1X authenticator port, an unauthorized client connected to the port has access only to the network resources belonging to the Unauthorized- Client VLAN. This access continues until the client disconnects from the port. (If there is no Unauthorized-Client VLAN configured on the authenticator port, the port simply blocks access for any unauthorized client.)

Effect of RADIUS-assigned VLANThis rule assumes no other authenticated clients are already using the port on a different VLAN.

The port joins the RADIUS-assigned VLAN as an untagged member.

IP Addressing for a client connected to a port configured for 802.1X Open VLAN mode

A client can either acquire an IP address from a DHCP server or use a manually configured IP address before connecting to the switch.

802.1X supplicant software for a client connected to a port configured for 802.1X Open VLAN mode

A friendly client, without 802.1X supplicant software, connecting to an authenticator port must be able to download this software from the Unauthorized-Client VLAN before authentication can begin.

Switch with a port configured to allow multiple authorized-client sessions

When a new client is authenticated on a given port:
  • If no other clients are authenticated on that port, then the port joins one VLAN in the following order of precedence:
    1. A RADIUS-assigned VLAN, if configured.

    2. An Authenticated-Client VLAN, if configured.

    3. A static, port-based VLAN to which the port belongs as an untagged member.

    4. Any VLAN(s) to which the port is configured as a tagged member (provided that the client can operate in that VLAN).

  • If another client is already authenticated on the port, then the port is already assigned to a VLAN for the previously-existing client session, and the new client must operate in this same VLAN, regardless of other factors. (This means that a client without 802.1X client authentication software cannot access a configured, Unauthenticated-Client VLAN if another, authenticated client is already using the port.)

Limitation on using an unauthorized-client VLAN on an 802.1X port configured to allow multiple-client access

You can optionally enable switches to allow up to 32 clients per-port. The Unauthorized-Client VLAN feature can operate on an 802.1X-configured port regardless of how many clients the port is configured to support. However, all clients on the same port must operate through the same untagged VLAN membership.(See MAC-based VLANs). This means that any client accessing a given port must be able to authenticate and operate on the same VLAN as any other previously authenticated clients that are currently using the port. Thus, an Unauthorized-Client VLAN configured on a switch port that allows multiple 802.1X clients cannot be used if there is already an authenticated client using the port on another VLAN. Also, a client using the Unauthenticated-Client VLAN will be blocked when another client becomes authenticated on the port. For this reason, the best utilization of the Unauthorized-Client VLAN feature is in instances where only one client is allowed per-port. Otherwise, unauthenticated clients are subject to being blocked at any time by authenticated clients using a different VLAN. (Using the same VLAN for authenticated and unauthenticated clients can create a security risk and is not recommended.)

NOTE:

If you use the same VLAN as the Unauthorized-Client VLAN for all authenticator ports, unauthenticated clients on different ports can communicate with each other.