Configuring port-based and user-based access control
*Why use port-based access control?
Local area networks are often deployed in a way that allows unauthorized clients to connect to network devices or unauthorized users to access unattended clients on a network. In addition, the use of DHCP services make access to network services readily available. This exposes the network to unauthorized use and malicious attacks. Uncontrolled and unauthorized access is generally undesirable. 802.1X simplifies security management by providing access control and the ability to control user profiles from up to three RADIUS servers, allowing a given user to use the same valid login credentials for access from multiple points on the network.
Port-based access control 802.1X
802.1X port-based access control provides port-level security that allows LAN access only on ports where a single 802.1X-compliant client has entered authorized RADIUS user credentials. This option is recommended for applications where only one client at a time can connect to the port. Using this option, the port processes all IP traffic as if it came from the same client. Therefore, in a topology where multiple clients can connect to the same port at the same time:
If the first client authenticates and opens the port, and then another client authenticates, the port responds as if the original client had initiated a new authentication. With multiple clients authenticating on the port, the RADIUS configuration response to the client's last authentication supersedes any other configuration of a previous authentication. If all clients are using the same configuration, this should not be a problem. But if the RADIUS server responds with different configurations for different clients, the last authenticated client effectively blocks any previously authenticated clients. When a client to be authenticated closes the session, the port also closes and remains closed until another client successfully authenticates;
The client's last authentication determines the port's membership in the untagged VLAN. In addition, any client capable of using the port can access any statically configured tagged VLAN membership on the port, provided the client is configured to use the available tagged VLAN memberships;
If the first client authenticates and opens the port and then one or more other clients connect without attempting to authenticate, the port configuration determined by the original RADIUS response remains unchanged and all these clients will have the same access as the authenticated client. When the authenticated client closes the session, the port is also closed to other unauthenticated clients that may have used it.
This operation unlocks the port while an authenticated client session is in progress. In topologies where simultaneous access by multiple clients is possible, this operation may allow unauthorized, unauthenticated access by another client while an authenticated client is using the port. If you want to allow port access only to authenticated clients, you must use user-based access control instead of port-based access control. The user-based method allows you to specify up to 32 authenticated clients.