Cisco Small Business 200 Series Administration Manual page 272

Security: 802.1X Authentication
Authenticator Overview
When a port is unauthorized and a guest VLAN is enabled, untagged traffic is remapped to the guest
VLAN. Tagged traffic is dropped unless it belongs to the guest VLAN or to an unauthenticated VLAN.
If guest VLAN is not enabled on a port, only tagged traffic belonging to unauthenticated VLANs is
bridged.
When a port is authorized, untagged and tagged traffic from all hosts connected to the port is
bridged, based on the static VLAN membership port configuration.
You can specify that untagged traffic from the authorized port will be remapped to a VLAN that is
assigned by a RADIUS server during the authentication process. Tagged traffic is dropped unless it
belongs to the RADIUS-assigned VLAN or to the unauthenticated VLANs. Radius VLAN assignment
on a port is set in the Port Authentication page.
• Multi-Sessions Mode
Unlike the single-host and multi-host modes, a port in the multi-session mode does not have an
authentication status. This status is assigned to each client connected to the port. This mode requires
a TCAM lookup. Since Layer 3 mode switches do not have a TCAM lookup allocated for multi-
sessions mode, they support a limited form of multi-sessions mode, which does not support guest
VLAN and RADIUS VLAN attributes. The maximum number of authorized hosts allowed on the port is
configured in the Port Authentication page.
Tagged traffic belonging to an unauthenticated VLAN is always bridged regardless of whether the
host is authorized or not.
Tagged and untagged traffic from unauthorized hosts not belonging to an unauthenticated VLAN is
remapped to the guest VLAN if it is defined and enabled on the VLAN, or is dropped if the guest
VLAN is not enabled on the port.
If an authorized host is assigned a VLAN by a RADIUS server, all its tagged and untagged traffic not
belonging to the unauthenticated VLANs is bridged via the VLAN; if the VLAN is not assigned, all its
traffic is bridged based on the static VLAN membership port configuration.
802.1x-Based Authentication
The 802.1x-based authenticator relays transparent EAP messages between 802.1x supplicants and
authentication servers. The EAP messages between supplicants and the authenticator are encapsulated
into the 802.1x messages, and the EAP messages between the authenticator and authentication servers
are encapsulated into the RADIUS messages.
Cisco Small Business 200 Series Smart Switch Administration Guide
20
271