10-4
Configuring Port-Based and User-Based Access Control (802.1X)
Overview
• Port-Based access control option allowing authentication by a single
client to open the port. This option does not force a client limit and,
on a port opened by an authenticated client, allows unlimited client
access without requiring further authentication.
• Supplicant implementation using CHAP authentication and indepen-
dent user credentials on each port.
■ The local operator password configured with the password command for
management access to the switch is no longer accepted as an 802.1X
authenticator credential. The password port-access command configures
the local operator username and password used as 802.1X authentication
credentials for access to the switch. The values configured can be stored
in a configuration file using the include-credentials command. For infor-
mation about the password port-access command, see “Do These Steps
Before You Configure 802.1X Operation” on page 10-14.
■ On-demand change of a port’s configured VLAN membership status to
support the current client session.
■ Session accounting with a RADIUS server, including the accounting
update interval.
■ Use of Show commands to display session counters.
■ Support for concurrent use of 802.1X and either Web authentication or
MAC authentication on the same port.
■ For unauthenticated clients that do not have the necessary 802.1X suppli-
cant software (or for other reasons related to unauthenticated clients),
there is the option to configure an Unauthorized-Client VLAN. This mode
allows you to assign unauthenticated clients to an isolated VLAN through
which you can provide the necessary supplicant software and/or other
services you want to extend to these clients.
User Authentication Methods
The switch offers two methods for using 802.1X access control. Generally, the
“Port Based” method supports one 802.1X-authenticated client on a port,
which opens the port to an unlimited number of clients. The “User-Based”
method supports up to 32 802.1X-authenticated clients on a port. In both cases,
there are operating details to be aware of that can influence your choice of
methods.
802.1X User-Based Access Control
802.1X operation with access control on a per-user basis provides client-level
security that allows LAN access to individual 802.1X clients (up to 32 per port),
where each client gains access to the LAN by entering valid user credentials.
