Viewing 802.1X Open VLAN mode status

You can examine the switch’s current VLAN status by using the show port-access authenticator vlan and show port-access authenticator <port-list> commands as shown in this section. The table describes the data that these two commands display. Example showing a VLAN with ports configured for Open VLAN mode shows related VLAN data that can help you to see how the switch is using statically configured VLANs to support 802.1X operation.

Figure 127: Example showing ports configured for Open VLAN mode

Notes on the above image:

  • When the Auth VLAN ID is configured and matches the Current VLAN ID, an authenticated client is connected to the port. (This assumes the port is not a statically configured member of the VLAN you are using for Auth VLAN.)

  • When the Unauth VLAN ID is configured and matches the Current VLAN ID, an unauthenticated client is connected to the port. (This assumes the port is not a statically configured member of the VLAN you are using for Unauth VLAN.)

NOTE:

Because a temporary Open VLAN port assignment to either an authorized or unauthorized VLAN is an untagged VLAN membership, these assignments temporarily replace any other untagged VLAN membership that is statically configured on the port. For example, if port 12 is statically configured as an untagged member of VLAN 1, but is configured to use VLAN 25 as an authorized VLAN, then the port’s membership in VLAN 1 will be temporarily suspended whenever an authenticated 802.1X client is attached to the port.

Table 42: Output for determining Open VLAN mode status

Status Indicator

Meaning

Access Control

This state is controlled by the following port-access Command syntax:
Switch(config)# aaa port-access authenticator <port-list> control <authorized|auto|unauthorized>
                
Auto: Configures the port to allow network access to any connected device that supports 802.1X authentication and provides valid 802.1X credentials. (This is the default authenticator setting.)Authorized: Configures the port for “Force Authorized”, which allows access to any device connected to the port, regardless of whether it meets 802.1X criteria. (You can still configure console, Telnet, or SSH security on the port.)Unauthorized: Configures the port for “Force Unauthorized”, which blocks access to any device connected to the port, regardless of whether the device meets 802.1X criteria.

Unauthorized VLAN ID

<vlan-id>: Lists the VID of the static VLAN configured as the unauthorized VLAN for the indicated port.0: No unauthorized VLAN has been configured for the indicated port.

Authorized VLAN ID

<vlan-id>: Lists the VID of the static VLAN configured as the authorized VLAN for the indicated port.0: No authorized VLAN has been configured for the indicated port.

Status

Closed: Either no client is connected or the connected client has not received authorization through 802.1X authentication.Open: An authorized 802.1X supplicant is connected to the port.

Current VLAN ID

<vlan-id>: Lists the VID of the static, untagged VLAN to which the port currently belongs.No PVID: The port is not an untagged member of any VLAN.

Current Port CoS

See RADIUS Authentication, Authorization, and Accounting.

% Curr. Rate Limit Inbound

Syntax:


show vlan <vlan-id>

Displays the port status for the selected VLAN, including an indication of which port memberships have been temporarily overridden by Open VLAN mode.

Figure 128: Example showing a VLAN with ports configured for Open VLAN mode