2-31
Catalyst 3750-X and 3560-X Switch Command Reference
OL-29704-01
Chapter 2 Catalyst 3750-X and 3560-X Switch Cisco IOS Commands
authentication event
• When MAC authentication bypass is enabled on an IEEE 802.1x port, the switch can authorize
clients based on the client MAC address if IEEE 802.1x authentication times out while waiting for
an EAPOL message exchange. After detecting a client on an IEEE 802.1x port, the switch waits for
an Ethernet packet from the client. The switch sends the authentication server a
RADIUS-access/request frame with a username and password based on the MAC address.
–
If authorization succeeds, the switch grants the client access to the network.
–
If authorization fails, the switch assigns the port to the guest VLAN if one is specified.
For more information, see the "Using IEEE 802.1x Authentication with MAC Authentication
Bypass" section in the "Configuring IEEE 802.1x Port-Based Authentication" chapter of the
software configuration guide.
For server-dead events:
• When the switch moves to the critical-authentication state, new hosts trying to authenticate are
moved to the critical-authentication VLAN (or critical VLAN). This applies whether the port is in
single-host, multiple-host, multiauth, or MDA mode. Authenticated hosts remain in the
authenticated VLAN, and the reauthentication timers are disabled.
• If a client is running Windows XP and the critical port to which the client is connected is in the
critical-authentication state, Windows XP might report that the interface is not authenticated.
If the Windows XP client is configured for DHCP and has an IP address from the DHCP server and
a critical port receives an EAP-Success message, the DHCP configuration process might not
re-initiate.
You can verify your settings by entering the show authentication privileged EXEC command.
Examples This example shows how to configure the authentication event fail command:
Switch(config-if)# authentication event fail action authorize vlan 20
This example shows how to configure a no-response action:
Switch(config-if)# authentication event no-response action authorize vlan 10
This example shows how to configure a server-response action:
Switch(config-if)# authentication event server alive action reinitialize
This example shows how to configure a port to send both new and existing hosts to the critical VLAN
when the RADIUS server is unavailable. Use this command for ports in multiple authentication (multiauth)
mode or if the voice domain of the port is in MDA mode:
Switch(config-if)# authentication event server dead action authorize vlan 10
This example shows how to configure a port to send both new and existing hosts to the critical VLAN
when the RADIUS server is unavailable and if the traffic from the host is tagged with the voice VLAN
to put the host in the configured voice VLAN on the port. Use this command for ports in multiple-host
or multiauth mode:
Switch(config-if)# authentication event server dead action reinitialize vlan 10
Switch(config-if)# authentication event server dead action authorize voice
To Next Page
Loading...
Need help?
General
