General Features

802.1X on the switches covered in this guide includes the following:

  • Switch operation as both an authenticator (for supplicants having a point-to-point connection to the switch) and as a supplicant for point-to-point connections to other 802.1X-aware switches.

    • Authentication of 802.1X access using a RADIUS server and either the EAP or CHAP protocol.

    • Provision for enabling clients that do not have 802.1 supplicant software to use the switch as a path for downloading the software and initiating the authentication process (802.1X Open VLAN mode).

    • User-Based access control option with support for up to 32 authenticated clients per-port.

    • Port-Based access control option allowing authentication by a single client to open the port. This option does not force a client limit and, on a port opened by an authenticated client, allows unlimited client access without requiring further authentication.

    • Supplicant implementation using CHAP authentication and independent user credentials on each port.

  • The local operator password configured with the password command for management access to the switch is no longer accepted as an 802.1X authenticator credential. The password port-access command configures the local operator user name and password used as 802.1X authentication credentials for access to the switch. The values configured can be stored in a configuration file using the include-credentials command. For information about the password port-access command, see General Setup Procedure for 802.1X Access Control.

  • On-demand change of a port’s configured VLAN membership status to support the current client session.

  • Session accounting with a RADIUS server, including the accounting update interval.

  • Use of Show commands to display session counters.

  • Support for concurrent use of 802.1X and either Web authentication or MAC authentication on the same port.

  • For unauthenticated clients that do not have the necessary 802.1X supplicant software (or for other reasons related to unauthenticated clients), there is the option to configure an Unauthorized-Client VLAN. This mode allows you to assign unauthenticated clients to an isolated VLAN through which you can provide the necessary supplicant software and other services you want to extend to these clients.