RADIUS-assigned VLAN, then an authenticated client without tagged
VLAN capability can access only a statically configured, untagged
VLAN on that port.)
When a client's authentication attempt on an Unauthorized-Client
VLAN fails, the port remains a member of the Unauthorized-Client
VLAN until the client disconnects from the port.
During an authentication session on a port in 802.1X Open VLAN
mode, if RADIUS specifies membership in an untagged VLAN, this
assignment overrides port membership in the Authorized-Client
VLAN. If there is no Authorized-Client VLAN configured, then the
RADIUS assignment overrides any untagged VLAN for which the port
is statically configured.
If the only authenticated client on a port loses authentication during a
session in 802.1X Open VLAN mode, the port VLAN membership reverts
back to the Unauthorized-Client VLAN. If there is no Unauthorized-Client
VLAN configured, then the client loses access to the port until it can
reauthenticate itself. If there are multiple clients authenticated on the
port, if one client loses access and attempts to re-authenticate, that client
will be handled as a new client on the port.
The first client to authenticate on a port configured to support multiple
clients will determine the port's VLAN membership for any subsequent
clients that authenticate while an active session is already in effect.
Configuring Port-Based and Client-Based Access Control (802.1X)
802.1X Open VLAN Mode