EasyManua.ls Logo

Cisco Catalyst 3560-X

Cisco Catalyst 3560-X
1538 pages
To Next Page IconTo Next Page
To Next Page IconTo Next Page
To Previous Page IconTo Previous Page
To Previous Page IconTo Previous Page
Loading...
1-5
Catalyst 3750-X and 3560-X Switch Software Configuration Guide
OL-25303-03
Chapter 1 Configuring IEEE 802.1x Port-Based Authentication
Understanding IEEE 802.1x Port-Based Authentication
Figure 1-2 Authentication Flowchart
The switch re-authenticates a client when one of these situations occurs:
Periodic re-authentication is enabled, and the re-authentication timer expires.
You can configure the re-authentication timer to use a switch-specific value or to be based on values
from the RADIUS server.
After 802.1x authentication using a RADIUS server is configured, the switch uses timers based on
the Session-Timeout RADIUS attribute (Attribute[27]) and the Termination-Action RADIUS
attribute (Attribute [29]).
The Session-Timeout RADIUS attribute (Attribute[27]) specifies the time after which
re-authentication occurs.
The Termination-Action RADIUS attribute (Attribute [29]) specifies the action to take during
re-authentication. The actions are Initialize and ReAuthenticate. When the Initialize action is set (the
attribute value is DEFAULT), the 802.1x session ends, and connectivity is lost during
re-authentication. When the ReAuthenticate action is set (the attribute value is RADIUS-Request),
the session is not affected during re-authentication.
You manually re-authenticate the client by entering the dot1x re-authenticate interface
interface-id privileged EXEC command.
281594
Client
identity is
invalid
All authentication
servers are down.
All authentication
servers are down.
Client
identity is
valid
The switch gets an
EAPOL message,
and the EAPOL
message
exchange begins.
1 = This occurs if the switch does not
detect EAPOL packets from the client.
Client MAC
address
identity
is invalid.
Client MAC
address
identity
is valid.
YesYes No
IEEE 802.1x authentication
process times out.
Start IEEE 802.1x port-based
authentication.
Use inaccessible
authentication bypass
(critical authentication)
to assign the critical
port to a VLAN.
1
Use MAC authentication
bypass.
Assign the port to
a VLAN.
Assign the port to
a restricted VLAN.
Done
Assign the port to
a guest VLAN.
Done
Done
Done
Assign the port to
a VLAN.
Done
1
Assign the port to
a guest VLAN.
Done
Is the client IEEE
802.1x capable?
Start
Is MAC authentication
bypass enabled?
1
User does not have a
certificate but the system
previously logged on to
the network using
a computer certificate.
No

Table of Contents

Related product manuals