Cisco Cisco SF302-08PP 8-port 10 100 PoE+ Managed Switch Referencia técnica
802.1X Commands
356
78-21485-01 Command Line Interface Reference Guide
22
If a RADIUS server assigns a client with a non-existing VLAN, the switch creates
the VLAN. The VLAN is removed when it is no longer being used.
the VLAN. The VLAN is removed when it is no longer being used.
If RADIUS provides valid VLAN information and the port does not belong to the
VLAN received from RADIUS, it is added to the VLAN as an egress untagged port.
When the last authorized client assigned to the VLAN becomes unauthorized or
802.1x is disabled on the port, the port is excluded from the VLAN.
VLAN received from RADIUS, it is added to the VLAN as an egress untagged port.
When the last authorized client assigned to the VLAN becomes unauthorized or
802.1x is disabled on the port, the port is excluded from the VLAN.
If the authentication mode is single-host or multi-host, the value of PVID is set to
the VLAN_ID.
the VLAN_ID.
If the authentication mode is multi-sessions mode, the PVID is not changed and all
untagged traffic and tagged traffic not belonging to the unauthenticated VLANs
are mapped to the VLAN using TCAM. See the User Guidelines of the dot1x
host-mode command for more information.
untagged traffic and tagged traffic not belonging to the unauthenticated VLANs
are mapped to the VLAN using TCAM. See the User Guidelines of the dot1x
host-mode command for more information.
If 802.1X is disabled the port static configuration is reset.
If an authorized port in the single-host or multi-host mode changes its status to
unauthorized, the port static configuration is reset.
unauthorized, the port static configuration is reset.
If the last authorized host assigned to a VLAN received from RADIUS connected to
a port in the multi-sessions mode changes its status to unauthorized, the port is
removed from the VLAN if it is not in the static configuration.
a port in the multi-sessions mode changes its status to unauthorized, the port is
removed from the VLAN if it is not in the static configuration.
If the reject keyword is configured and the RADIUS server authorizes the host but
the RADIUS accept message does not assign a VLAN to the supplicant,
authentication is rejected.
the RADIUS accept message does not assign a VLAN to the supplicant,
authentication is rejected.
If the static keyword is configured and the RADIUS server authorizes the host then
even though the RADIUS accept message does not assign a VLAN to the
supplicant, authentication is accepted and the traffic from the host is bridged in
accordance with port static configuration.
even though the RADIUS accept message does not assign a VLAN to the
supplicant, authentication is accepted and the traffic from the host is bridged in
accordance with port static configuration.
If this command is used when there are authorized ports/hosts, it takes effect at
subsequent authentications. To manually re-authenticate, use the
subsequent authentications. To manually re-authenticate, use the
command.
Example
Example 1. This example enables user-based VLAN assignment. If the RADIUS
server authorized the supplicant, but did not provide a supplicant VLAN, the
supplicant is rejected.
server authorized the supplicant, but did not provide a supplicant VLAN, the
supplicant is rejected.
switchxxxxxx(config)# interface gi1
switchxxxxxx(config-if)# dot1x radius-attributes vlan