Operating rules for authorized and unauthorized-client VLANs
Condition |
Rule |
---|---|
Static VLANs used as authorized-client or unauthorized-client VLANs |
These must be configured on the switch before
you configure an 802.1X authenticator port to use them. (Use the |
VLAN assignment received from a RADIUS server |
If the RADIUS server specifies a VLAN for an authenticated supplicant connected to an 802.1X authenticator port, this VLAN assignment overrides any Authorized-Client VLAN assignment configured on the authenticator port. This is because membership in both VLANs is untagged, and the switch allows only one untagged, port-based VLAN membership per-port. For example, suppose you configured port A4 to place authenticated supplicants in VLAN 20. If a RADIUS server authenticates supplicant “A” and assigns this supplicant to VLAN 50, then the port can access VLAN 50 as an untagged member while the client session is running. When the client disconnects from the port, then the port drops these assignments and uses the untagged VLAN memberships for which it is statically configured. (After client authentication, the port resumes any tagged VLAN memberships for which it is already configured. |
Temporary VLAN membership during a client session |
|
Effect of unauthorized-client VLAN session on untagged port VLAN membership |
|
Effect of authorized-client VLAN session on untagged port VLAN membership. |
NOTE:
This rule assumes:
|
Multiple authenticator ports using the same unauthorized-client and authorized-client VLANs |
You can use the same
static VLAN as the Unauthorized-Client VLAN for all 802.1X authenticator
ports configured on the switch. Similarly, you can use the same static
VLAN as the Authorized-Client VLAN for all 802.1X authenticator ports
configured on the switch.
CAUTION:
Do not use the same static VLAN for both the unauthorized-client VLAN and the authorized-client VLAN. Using one VLAN for both creates a security risk by defeating the isolation of unauthenticated clients. |
Effect of filed client authentication attemptThis rule assumes no other authenticated clients are already using the port on a different VLAN. |
When there is an Unauthorized-Client VLAN configured on an 802.1X authenticator port, an unauthorized client connected to the port has access only to the network resources belonging to the Unauthorized- Client VLAN. This access continues until the client disconnects from the port. (If there is no Unauthorized-Client VLAN configured on the authenticator port, the port simply blocks access for any unauthorized client.) |
Effect of RADIUS-assigned VLANThis rule assumes no other authenticated clients are already using the port on a different VLAN. |
The port joins the RADIUS-assigned VLAN as an untagged member. |
IP Addressing for a client connected to a port configured for 802.1X Open VLAN mode |
A client can either acquire an IP address from a DHCP server or use a manually configured IP address before connecting to the switch. |
802.1X supplicant software for a client connected to a port configured for 802.1X Open VLAN mode |
A friendly client, without 802.1X supplicant software, connecting to an authenticator port must be able to download this software from the Unauthorized-Client VLAN before authentication can begin. |
Switch with a port configured to allow multiple authorized-client sessions |
When a new client is authenticated on
a given port:
|
Limitation on using an unauthorized-client VLAN on an 802.1X port configured to allow multiple-client access |
You can optionally enable switches to allow up to 32 clients per-port. The Unauthorized-Client VLAN feature can operate on an 802.1X-configured port regardless of how many clients the port is configured to support. However, all clients on the same port must operate through the same untagged VLAN membership.(See MAC-based VLANs). This means that any client accessing a given port must be able to authenticate and operate on the same VLAN as any other previously authenticated clients that are currently using the port. Thus, an Unauthorized-Client VLAN configured on a switch port that allows multiple 802.1X clients cannot be used if there is already an authenticated client using the port on another VLAN. Also, a client using the Unauthenticated-Client VLAN will be blocked when another client becomes authenticated on the port. For this reason, the best utilization of the Unauthorized-Client VLAN feature is in instances where only one client is allowed per-port. Otherwise, unauthenticated clients are subject to being blocked at any time by authenticated clients using a different VLAN. (Using the same VLAN for authenticated and unauthenticated clients can create a security risk and is not recommended.) |
If you use the same VLAN as the Unauthorized-Client VLAN for all authenticator ports, unauthenticated clients on different ports can communicate with each other.