If 802.1x authentication times out while waiting for an EAPOL message exchange and MAC authentication
bypass is enabled, the switch can authorize the client when the switch detects an Ethernet packet from the
client. The switch uses the MAC address of the client as its identity and includes this information in the
RADIUS-access/request frame that is sent to the RADIUS server. After the server sends the switch the
RADIUS-access/accept frame (authorization is successful), the port becomes authorized. If authorization fails
and a guest VLAN is specified, the switch assigns the port to the guest VLAN. If the switch detects an EAPOL
packet while waiting for an Ethernet packet, the switch stops the MAC authentication bypass process and
starts 802.1x authentication.
This figure shows the message exchange during MAC authentication bypass.
Figure 93: Message Exchange During MAC Authentication Bypass
Authentication Manager for Port-Based Authentication
Port-Based Authentication Methods
Table 123: 802.1x Features
ModeAuthentication method
Multiple
Authentication
MDAMultiple hostSingle host
VLAN
assignment
Per-user ACL
Filter-Id attribute
Downloadable
ACL
Redirect URL
VLAN
assignment
Per-user ACL
Filter-Id attribute
Downloadable
ACL
Redirect URL
VLAN
assignment
VLAN
assignment
Per-user ACL
Filter-ID
attribute
Downloadable
ACL
15
Redirect URL
802.1x
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(4)E (Catalyst 2960-X Switches)
1323
Information About 802.1x Port-Based Authentication
To Next Page
Loading...
Need help?
General
