Access Security Guide K/KA/KB.15.15
• Guests cannot be authorized on any tagged VLANs.
• Guests can use the same bandwidth, rate limits and QoS settings that may be assigned for
authenticated clients on the port (via RADIUS attributes).
• When no authenticated clients are authorized on the untagged authenticated VLAN, the port
becomes an untagged member of the guest VLAN for as long as no untagged packets are
received from any authenticated clients on the port.
• New guest authorizations are not allowed on the port if at least one authenticated client is
authorized on its untagged VLAN and the guest VLAN is not the same as the authenticated
client’s untagged VLAN.
NOTE: If you disable mixed port access mode, this does not automatically remove guests that
have already been authorized on a port where an authenticated client exists. New guests are not
allowed after the change, but the existing authorized guests will still be authorized on the port until
they are removed by a new authentication, an untagged authorization, a port state change, and
so on.
Operating Notes VLAN Assignment on a Port
During client authentication, a port assigned to a VLAN by a RADIUS server or an authorized-client
VLAN configuration is an untagged member of the VLAN for the duration of the authenticated
session. This applies even if the port is also configured in the switch as a tagged member of the
same VLAN. The following restrictions apply:
• If the port is assigned as a member of an untagged static VLAN, the VLAN must already be
configured on the switch. If the static VLAN configuration does not exist, the authentication
fails.If the port is assigned as a member of an untagged dynamic VLAN that was learned
through GVRP, the dynamic VLAN configuration must exist on the switch at the time of
authentication and GVRPlearned dynamic VLANs for port-access authentication must be
enabled. If the dynamic VLAN does not exist or if you have not enabled the use of a dynamic
VLAN for authentication sessions on the switch, the authentication fails.
• To enable the use of a GVRP-learned (dynamic) VLAN as the untagged VLAN used in an
authentication session, enter the aaa port-access gvrpvlans command, as described in “Enabling
the Use of GVRP-Learned Dynamic VLANs in Authentication Sessions” on page 13-76.
• Enabling the use of dynamic VLANs in an authentication session offers the following benefits:
You avoid the need of having static VLANs pre-configured on the switch.◦
◦ You can centralize the administration of user accounts (including user VLAN IDs) on a
RADIUS server. For information on how to enable the switch to dynamically create
802.1Q-compliant VLANs on links to other devices using the GARP VLAN Registration
Protocol (GVRP), see “GVRP” in the Advanced Traffic Management Guide.
• For an authentication session to proceed, a port must be an untagged member of the (static
or dynamic) VLAN assigned by the RADIUS server (or an authorized-client VLAN configuration).
The port temporarily drops any current untagged VLAN membership. If the port is not already
a member of the RADIUS-assigned (static or dynamic) untagged VLAN, the switch temporarily
reassigns the port as an untagged member of the required VLAN (for the duration of the
session). At the same time, if the port is already configured as an untagged member of a
different VLAN, the port loses access to the other VLAN for the duration of the session. (A port
can be an untagged member of only one VLAN at a time.) When the authentication session
ends, the switch removes the temporary untagged VLAN assignment and re-activates the
temporarily disabled, untagged VLAN assignment.
• If GVRP is already enabled on the switch, the temporary untagged (static or dynamic) VLAN
created on the port for the authentication session is advertised as an existing VLAN. If this
temporary VLAN assignment causes the switch to disable a different untagged static or dynamic
496 Port-Based and User-Based Access Control (802.1X)