port), where each client gains access to the LAN by entering a username and
password. This extension improves security by opening a given port only to
individually authenticated clients, while simultaneously blocking access to
the same port for clients that cannot be authenticated. Note that you can use
the switch's port-security feature to limit the number of MAC addresses of
802.1X devices the port is allowed to learn. For more information, refer to
"Option For Authenticator Ports: Configure Port-Security To Allow Only
802.1X-Authenticated Devices" on page 10-36.
Alternative To a RADIUS Server. Note that you can also configure 802.1X
for authentication through the switch's local username and password instead
of a RADIUS server, but doing so increases the administrative burden, decen
tralizes username/password administration, and reduces security by limiting
authentication to one Operator password set for all users.
Accounting . The switches covered by this guide also provide RADIUS
Network accounting for 802.1X access. Refer to chapter 6, "RADIUS Authen
tication and Accounting".
Terminology
802.1X-Aware: Refers to a device that is running either 802.1X authenticator
software or 802.1X client software and is capable of interacting with other
devices on the basis of the IEEE 802.1X standard.
Authorized-Client VLAN: Like the Unauthorized-Client VLAN, this is a
conventional, static VLAN previously configured on the switch by the
System Administrator. The intent in using this VLAN is to provide authen
ticated clients with network services that are not available on either the
port's statically configured VLAN memberships or any VLAN member
ships that may be assigned during the RADIUS authentication process.
While an 802.1X port is a member of this VLAN, the port is untagged. When
a port loses its authenticated client connection, it drops its membership
in this VLAN. Note that with multiple clients on a port, all such clients use
the same untagged, port-based VLAN membership.
Authentication Server: The entity providing an authentication service to
the switch when the switch is configured to operate as an authenticator.
In the case of a switch running 802.1X, this is a RADIUS server (unless
Configuring Port-Based and Client-Based Access Control (802.1X)
Terminology
10-5