10-24
Catalyst 3750-E and 3560-E Switch Software Configuration Guide
OL-9775-08
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication
Understanding IEEE 802.1x Port-Based Authentication
• If the port is already authorized and reauthentication occurs, the switch puts the critical port in the
critical-authentication state in the current VLAN, which might be the one previously assigned by
the RADIUS server.
• If the RADIUS server becomes unavailable during an authentication exchange, the current exchange
times out, and the switch puts the critical port in the critical-authentication state during the next
authentication attempt.
You can configure the critical port to reinitialize hosts and move them out of the critical VLAN when
th
e RADIUS server is again available. When this is configured, all critical ports in the
critical-authentication state are automatically re-authenticated. For more information, see the command
reference for this release and the “Configuring the Inaccessible Authentication Bypass Feature” o
n page
-54.
Feature Interactions
Inaccessible authentication bypass interacts with these features:
• Guest VLAN—Inaccessible authentication bypass is compatible with guest VLAN. When a guest
VLAN is enabled on 8021.x port, the features interact as follows:
–
If at least one RADIUS server is available, the switch assigns a client to a guest VLAN when
the switch does not receive a response to its EAP request/identity frame or when EAPOL
packets are not sent by the client.
–
If all the RADIUS servers are not available and the client is connected to a critical port, the
switch authenticates the client and puts the critical port in the critical-authentication state in the
RADIUS-configured or user-specified access VLAN.
–
If all the RADIUS servers are not available and the client is not connected to a critical port, the
switch might not assign clients to the guest VLAN if one is configured.
–
If all the RADIUS servers are not available and if a client is connected to a critical port and was
previously assigned to a guest VLAN, the switch keeps the port in the guest VLAN.
• Restricted VLAN—If the port is already authorized in a restricted VLAN and the RADIUS servers
are unavailable, the switch puts the critical port in the critical-authentication state in the restricted
VLAN.
• 802.1x accounting—Accounting is not affected if the RADIUS servers are unavailable.
• Private VLAN—You can configure inaccessible authentication bypass on a private VLAN host port.
The access VLAN must be a secondary private VLAN.
• Voice VLAN—Inaccessible authentication bypass is compatible with voice VLAN, but the
RADIUS-configured or user-specified access VLAN and the voice VLAN must be different.
• Remote Switched Port Analyzer (RSPAN)—Do not configure an RSPAN VLAN as the
RADIUS-configured or user-specified access VLAN for inaccessible authentication bypass.
In a switch stack, the stack master checks the status of the RADIUS servers by sending keepalive
p
ackets. When the status of a RADIUS server changes, the stack master sends the information to the
stack members. The stack members can then check the status of RADIUS servers when re-authenticating
critical ports.
If the new stack master is elected, the link between the switch stack and RADIUS server might change,
a
nd the new stack immediately sends keepalive packets to update the status of the RADIUS servers. If
the server status changes from dead to alive, the switch re-authenticates all switch ports in the
critical-authentication state.
When a member is added to the stack, the stack master sends the member the server status.
To Next Page
Loading...
