2-28
Catalyst 3750-X and 3560-X Switch Command Reference
OL-21522-02
Chapter 2 Catalyst 3750-X and 3560-X Switch Cisco IOS Commands
authentication event
For authentication-fail events:
• If the supplicant fails authentication, the port is moved to a restricted VLAN, and an EAP success
message is sent to the supplicant because it i s not notified of the actual authentication failure.
–
If the EAP success message is not sent, the supplicant tries to authenticate every 60 seconds (the
default) by sending an EAP-start message.
–
Some hosts (for example, devices running Windows XP) cannot implement DHCP until they
receive an EAP success message.
The restricted VLAN is supported only in single host mode (the default port mode). When a port is
placed in a restricted VLAN, the supplicant's MAC address is added to the MAC address table. Any
other MAC address on the port is treated as a security violation.
• You cannot configure an internal VLANs for Layer 3 ports as a restricted VLAN. You cannot specify
the same VLAN as a restricted VLAN and as a voice VLAN.
Enable re-authentication with restricted VLANs. If re-authentication is disabled, the ports in the
restricted VLANs do not receive re-authentication requests if it is disabled.
To start the re-authentication process, the restricted VLAN must receive a link-down event or an
Extensible Authentication Protocol (EAP) logoff event from the port. If a host is connected through
a hub:
–
The port might not receive a link-down event when the host is disconnected.
–
The port might not detect new hosts until the next re-authentication attempt occurs.
When you reconfigure a restricted VLAN as a different type of VLAN, ports in the restricted VLAN
are also moved and stay in their currently authorized state.
Examples This example shows how to configure the authentication event fail command:
Switch(config-if)# authentication event fail action authorize vlan 20
This example shows how to configure a no-response action:
Switch(config-if)# authentication event no-response action authorize vlan 10
This example shows how to configure a server-response action:
Switch(config-if)# authentication event server alive action reinitialize
This example shows how to configure a port to send both new and existing hosts to the critical VLAN
when the RADIUS server is unavailable. Use this command for ports in multiple authentication (multiauth)
mode or if the voice domain of the port is in MDA mode:
Switch(config-if)# authentication event server dead action authorize vlan
10
This example shows how to configure a port to send both new and existing hosts to the critical VLAN
when the RADIUS server is unavailable. Use this command for ports in multiple-host or multiauth
mode:
Switch(config-if)# authentication event server dead action reinitialize vlan
10
You can verify your settings by entering the show authentication privileged EXEC command.
To Next Page
Loading...
