Name: Cisco Catalyst 3560-X
Brand: Cisco
Rating: 4 (1 reviews)

To Next Page

To Previous Page

1-6

Catalyst 3750-X and 3560-X Switch Software Configuration Guide

OL-25303-03

Chapter 1 Configuring IEEE 802.1x Port-Based Authentication

Understanding IEEE 802.1x Port-Based Authentication

Authentication Initiation and Message Exchange

During 802.1x authentication, the switch or the client can initiate authentication. If you enable

authentication on a port by using the authentication port-control auto or dot1x port-control auto

interface configuration command, the switch initiates authentication when the link state changes from

down to up or periodically as long as the port remains up and unauthenticated. The switch sends an

EAP-request/identity frame to the client to request its identity. Upon receipt of the frame, the client

responds with an EAP-response/identity frame.

However, if during bootup, the client does not receive an EAP-request/identity frame from the switch,

the client can initiate authentication by sending an EAPOL-start frame, which prompts the switch to

request the client’s identity.

Note If 802.1x authentication is not enabled or supported on the network access device, any EAPOL frames

from the client are dropped. If the client does not receive an EAP-request/identity frame after three

attempts to start authentication, the client sends frames as if the port is in the authorized state. A port in

the authorized state effectively means that the client has been successfully authenticated. For more

information, see the “Ports in Authorized and Unauthorized States” section on page 1-10.

When the client supplies its identity, the switch begins its role as the intermediary, passing EAP frames

between the client and the authentication server until authentication succeeds or fails. If the

authentication succeeds, the switch port becomes authorized. If the authentication fails, authentication

can be retried, the port might be assigned to a VLAN that provides limited services, or network access

is not granted. For more information, see the “Ports in Authorized and Unauthorized States” section on

page 1-10.

The specific exchange of EAP frames depends on the authentication method being used. Figure 1-3

shows a message exchange initiated by the client when the client uses the One-Time-Password (OTP)

authentication method with a RADIUS server.

Figure 1-3 Message Exchange

101228

Client

Port Authorized

Port Unauthorized

EAPOL-Start

EAP-Request/Identity

EAP-Response/Identity

EAP-Request/OTP

EAP-Response/OTP

EAP-Success

RADIUS Access-Request

RADIUS Access-Challenge

RADIUS Access-Request

RADIUS Access-Accept

EAPOL-Logoff

Authentication

server

(RADIUS)

Questions and Answers:

Need help?

Do you have a question about the Cisco Catalyst 3560-X and is the answer not in the manual?

Cisco Catalyst 3560-X Specifications

General

Enclosure Type	Rack-mountable - 1U
Subtype	Gigabit Ethernet
Ports	48 x 10/100/1000 + 4 x SFP
Flash Memory	64 MB
Power Device	Internal power supply
Voltage Required	AC 120/230 V (50/60 Hz)
Operating System	Cisco IOS
Device Type	Switch
Performance	Switching capacity: 128 Gbps
Jumbo Frame Support	Yes
Routing Protocol	RIP-1, RIP-2, EIGRP
Remote Management Protocol	SNMP 1, RMON 1, RMON 2, RMON 3, RMON 9, Telnet, SNMP 3, HTTP, HTTPS
Features	DHCP support, VLAN support, QoS, IPv6 support, Syslog
Compliant Standards	IEEE 802.3, IEEE 802.3u, IEEE 802.3z, IEEE 802.1D, IEEE 802.1Q, IEEE 802.3ab, IEEE 802.1p, IEEE 802.3af, IEEE 802.3x, IEEE 802.3ad, IEEE 802.1w, IEEE 802.1x, IEEE 802.1s, IEEE 802.3ah, IEEE 802.1ag, IEEE 802.3at
Stacking	Stackable
Security Features	SSH, RADIUS, TACACS+
Management	CLI
Dimensions (H x W x D)	17.5 in
Operating Temperature	32 to 113 °F (0 to 45 °C)
Humidity	10 - 95% (non-condensing)