Configuring Port-Based and Client-Based Access Control (802.1X)
Overview
10-4
•
Port-Based access control option allowing authentication by a single
client to open the port. This option does not force a client limit and,
on a port opened by an authenticated client, allows unlimited client
access without requiring further authentication.
•
Supplicant implementation using CHAP authentication and indepen
dent user credentials on each port.
Local authentication of 802.1X clients using the switch's local username
■
and password (as an alternative to RADIUS authentication).
■
On-demand change of a port's configured VLAN membership status to
support the current client session.
■
Session accounting with a RADIUS server, including the accounting
update interval.
Use of Show commands to display session counters.
■
■
Support for concurrent use of 802.1X and either Web authentication or
MAC authentication on the same port.
■
For unauthenticated clients that do not have the necessary 802.1X suppli
cant software (or for other reasons related to unauthenticated clients),
there is the option to configure an Unauthorized-Client VLAN. This mode
allows you to assign unauthenticated clients to an isolated VLAN through
which you can provide the necessary supplicant software and/or other
services you want to extend to these clients.
User Authentication Methods
The switch offers two methods for using 802.1X access control. Generally, the
"Port Based" method supports one 802.1X-authenticated client on a port,
which opens the port to an unlimited number of clients. The "Client-Based"
method supports up to 32 802.1X-authenticated clients on a port. In both cases,
there are operating details to be aware of that can influence your choice of
methods.
802.1X Client-Based Access Control
802.1X operation with access control on a per-client basis provides client-level
security that allows LAN access to individual 802.1X clients (up to 32 per port),
where each client gains access to the LAN by entering valid user credentials.
This operation improves security by opening a given port only to individually
authenticated clients, while simultaneously blocking access to the same port
for clients that cannot be authenticated. All sessions must use the same
untagged VLAN. Also, an authenticated client can use any tagged VLAN
memberships statically configured on the port, provided the client is config
ured to use the tagged VLAN memberships available on the port. (Note that