Access Security Guide K/KA/KB.15.15
15 Port-Based and User-Based Access Control (802.1X)
Configuring Port-Based Access
Why Use Port-Based or User-Based Access Control?
Local Area Networks are often deployed in a way that allows unauthorized clients to attach to
network devices, or allows unauthorized users to get access to unattended clients on a network.
Also, the use of DHCP services and zero configuration make access to networking services easily
available. This exposes the network to unauthorized use and malicious attacks. While access to
the network should be made easy, uncontrolled and unauthorized access is usually not desirable.
802.1X simplifies security management by providing access control along with the ability to control
user profiles from up to three RADIUS servers while allowing a given user to use the same entering
valid user credentials for access from multiple points within the network.
User Authentication Methods
The switch offers two methods for using 802.1X access control. Generally, the “Port Based” method
supports one 802.1X-authenticated client on a port, which opens the port to an unlimited number
of clients. The “User-Based” method supports up to 32 802.1X-authenticated clients on a port. In
both cases, there are operating details to be aware of that can influence your choice of methods.
802.1X User-Based Access Control
802.1X operation with access control on a per-user basis provides client-level security that allows
LAN access to individual 802.1X clients (up to 32 per port), where each client gains access to the
LAN by entering valid user credentials. This operation improves security by opening a given port
only to individually authenticated clients, while simultaneously blocking access to the same port
for clients that cannot be authenticated. All sessions must use the same untagged VLAN (unless
MAC-based VLANs are enabled. Please see “MAC-based VLANs” (page 197)). Also, an authenticated
client can use any tagged VLAN memberships statically configured on the port, provided the client
is configured to use the tagged VLAN memberships available on the port. (Note that the session
total includes any sessions begun by the Web Authentication or MAC Authentication.) See “Option
for authenticator ports: configure port-security to allow only 802.1X-authenticated devices”
(page 350).
802.1X Port-Based Access Control
802.1X port-based access control provides port-level security that allows LAN access only on ports
where a single 802.1X-capable client (supplicant) has entered authorized RADIUS user credentials.
For reasons outlined below, this option is recommended for applications where only one client at
a time can connect to the port. Using this option, the port processes all IP traffic as if it comes from
the same client. Thus, in a topology where multiple clients can connect to the same port at the same
time:
• If the first client authenticates and opens the port, and then another client authenticates, the
port responds as if the original client has initiated a reauthentication. With multiple clients
authenticating on the port, the RADIUS configuration response to the latest client authentication
replaces any other configuration from an earlier client authentication. If all clients use the same
configuration this should not be a problem. But if the RADIUS server responds with different
configurations for different clients, then the last client authenticated will effectively lock out
any previously authenticated client. When any client to authenticate closes its session, the port
will also close and remain so until another client successfully authenticates.
• The most recent client authentication determines the untagged VLAN membership for the port.
Also, any client able to use the port can access any tagged VLAN memberships statically
Configuring Port-Based Access 455