General operating rules and notes
- In the user-based mode, when there is an authenticated client on a port, the following traffic movement is allowed:
Multicast and broadcast traffic
Unicast traffic to authenticated clients
All traffic from authenticated clients.
When a port on the switch is configured as either an authenticator or supplicant and is connected to another device, rebooting the switch causes a reauthentication of the link.
Using user-based 802.1X authentication, when a port on the switch is configured as an authenticator the port allows only authenticated clients up to the currently configured client limit. For clients without proper 802.1X supplicant software, the optional 802.1X Open VLAN mode can be used to open a path for downloading 802.1X supplicant software to a client or to provide other services for unauthenticated clients. See 802.1X Open VLAN mode.
Using port-based 802.1X authentication when a port on the switch is configured as an authenticator, one authenticated client opens the port. Other clients not running an 802.1X supplicant application can have access to the switch and network through the opened port. If another client uses an 802.1X supplicant application to access the opened port, reauthentication occurs using the RADIUS configuration response for the latest client to authenticate. To control access by all clients, use the user-based method.
If a port on switch "A" is configured as an 802.1X supplicant and is connected to a port on another switch, "B", that is not 802.1X-aware, access to switch "B" will occur without 802.1X security protection.
You can configure a port as both an 802.1X authenticator and an 802.1X supplicant.
If a port on switch “A” is configured as both an 802.1X authenticator and supplicant and is connected to a port on another switch, “B”, that is not 802.1X-aware, access to switch “B” will occur without 802.1X security protection, but switch “B” will not be allowed access to switch “A”.
If a client already has access to a switch port when you configure the port for 802.1X authenticator operation, the port will block the client from further network access until it can be authenticated.
On a port configured for 802.1X with RADIUS authentication, if the RADIUS server specifies a VLAN for the supplicant and the port is a trunk member, the port will be blocked. If the port is removed from the trunk, the port will try to authenticate the supplicant. If authentication is successful, the port becomes unblocked. Similarly, if the supplicant is authenticated and later the port becomes a trunk member, the port will be blocked. If the port is removed from the trunk, it tries to reauthenticate the supplicant. If successful, the port becomes unblocked.
- To help maintain security, 802.1X and LACP cannot both be enabled on the same port. If you try to configure 802.1X on a port already configured for LACP (or the reverse), you will see a message similar to the following:
Error configuring port X: LACP and 802.1X cannot be run together.