Access Security Guide K/KA/KB.15.15
802.1X User-based access control
802.1X operation with access control on aper-user basis provides client-level security that allows
LAN access to individual 802.1X clients (up to 32 per port), where each client gains access to the
LAN by entering valid user credentials. This operation improves security by opening a given port
only to individually authenticated clients, while simultaneously blocking access to the same port
for clients that cannot be authenticated. All sessions must use the same untagged VLAN. Also, an
authenticated client can use any tagged VLAN memberships statically configured on the port,
provided the client is configured to use the tagged VLAN memberships available on the port. Note:
The session total includes any sessions begun by the Web Authentication or MAC Authentication
features covered in “Option for authenticator ports: configure port-security to allow only
802.1X-authenticated devices” (page 350).
802.1X Port-based access control
802.1X port-based access control provides port-level security that allows LAN access only on ports
where a single 802.1X-capable client (supplicant) has entered authorized RADIUS user credentials.
For reasons outlined below, this option is recommended for applications where only one client at
a time can connect to the port. Using this option, the port processes all IP traffic as if it comes from
the same client. Thus, in a topology where multiple clients can connect to the same port at the same
time:
• If the first client authenticates and opens the port, and then another client authenticates, the
port responds as if the original client has initiated a reauthentication. With multiple clients
authenticating on the port, the RADIUS configuration response to the latest client authentication
replaces any other configuration from an earlier client authentication. If all clients use the same
configuration this should not be a problem. But if the RADIUS server responds with different
configurations for different clients, then the last client authenticated will effectively lock out
any previously authenticated client. When any client to authenticate closes its session, the port
will also close and remain so until another client successfully authenticates.
• The most recent client authentication determines the untagged VLAN membership for the port.
Also, any client able to use the port can access any tagged VLAN memberships statically
configured on the port, provided the client is configured to use the available, tagged VLAN
memberships.
• If the first client authenticates and opens the port, and then one or more other clients connect
without trying to authenticate, then the port configuration as determined by the original RADIUS
response remains unchanged and all such clients will have the same access as the authenticated
client. When the authenticated client closes the session, the port will also be closed to any
other, unauthenticated clients that may have also been using the port.
This operation unblocks the port while an authenticated client session is in progress. In topologies
where simultaneous, multiple client access is possible this can allow unauthorized and
unauthenticated access by another client while an authenticated client is using the port. If you want
to allow only authenticated clients on the port, then user-based access control should be used
instead of port-based access control. Using the user-based method enables you to specify up to
32 authenticated clients. See “802.1X User-based access control” (page 338).
NOTE: Port-Based 802.1X can operate concurrently with Web-Authentication or
MAC-Authentication on the same port. However, this is not a commonly used application and is
not generally recommended. For more information, see “Operating notes and guidelines” (page 102).
Alternative to using a RADIUS server
Note that you can also configure 802.1X for authentication through the switch local username and
password instead of a RADIUS server, but doing so increases the administrative burden,
decentralizes user credential administration, and reduces security by limiting authentication to one
Operator password set for all users.
338 IPv4 Access Control Lists (ACLs)