KB.15.15

Table 54 802.1x per-port configuration

Port Response802.1X Per-Port Configuration

The port automatically blocks a client that cannot initiate

an authentication session.

No Open VLAN mode:

Open VLAN mode with both of the following configured:

Unauthorized-Client VLAN

• When the port detects a client without 802.1X

supplicant capability, it automatically becomes an

untagged member of this VLAN. If you previously

configured the port as a static, tagged member of the

VLAN, membership temporarily changes to untagged

while the client remains unauthenticated.

• If the port already has a statically configured, untagged

membership in another VLAN, then the port temporarily

closes access to this other VLAN while in the

Unauthorized-Client VLAN.

• To limit security risks, the network services and access

available on the Unauthorized-Client VLAN should

include only what a client needs to enable an

authentication session. If the port is statically configured

as a tagged member of any other VLANs, access to

these VLANs is blocked while the port is a member of

the Unauthorized-Client VLAN.

Note for a Port Configured To Allow Multiple Client

Sessions: If any previously authenticated clients are using

a port assigned to a VLAN other than the

Unauthorized-Client VLAN, then a later client that is not

running 802.1X supplicant software is blocked on the port

until all other, authenticated clients on the port have

disconnected.

488 Port-Based and User-Based Access Control (802.1X)