KB.15.15

Figure 344 The Active Configuration for VLAN 33 Temporarily Drops Port 22 for the 802.1X Session

When the 802.1X client’s session on port A2 ends, the port removes the temporary untagged

VLAN membership. The static VLAN (VLAN 33) that is “permanently” configured as untagged on

the port becomes available again. Therefore, when the RADIUS-authenticated 802.1X session on

port A2 ends, VLAN 22 access on port A2 also ends, and the untagged VLAN 33 access on port

A2 is restored as shown in Figure 345 (page 477).

Figure 345 The Active Configuration for VLAN 33 Restores Port A2 After the 802.1X Session Ends

Port-Security

NOTE: If 802.1X port-access is configured on a given port, then port-security learnmode for that

port must be set to either continuous (the default) or port-access.

In addition to the above, to use port-security on an authenticator port, use the per-port client-limit

option to control how many MAC addresses of 802.1X-authenticated devices the port is allowed

to learn. (Using client-limit sets 802.1X to user-based operation on the specified ports.) When this

limit is reached, no further devices can be authenticated until a currently authenticated device

disconnects and the current delay period or logoff period has expired.

Configure the port access type.

Syntax

aaa port-access authenticator < port-list> client-limit < 1

- 32 >

Configures user-based 802.1X authentication on the specified ports and sets the

number of authenticated devices the port is allowed to learn. For more on this

command, see “Configuring Switch Ports as 802.1X Authenticators” (page 458).

Configuring Port-Based Access 477