2-25
Catalyst 3750 Switch Command Reference
OL-8552-07
Chapter 2 Catalyst 3750 Switch Cisco IOS Commands
authentication event
For server-dead events:
• When the switch moves to the critical-authentication state, only new hosts trying to authenticate are
moved to the critical-authentication VLAN. Authenticated hosts remain in the authenticated VLAN,
and the reauthentication timers are disabled.
• If a client is running Windows XP and the critical port to which the client is connected is in the
critical-authentication state, Windows XP might report that the interface is not authenticated.
If the Windows XP client is configured for DHCP and has an IP address from the DHCP server and
a critical port receives an EAP-Success message, the DHCP configuration process might not
re-initiate.
For no-response events:
• If you enable a guest VLAN on an IEEE 802.1x port, the switch assigns clients to a guest VLAN
when it does not receive a response to its Extensible Authentication Protocol over LAN (EAPOL)
request/identity frame or when EAPOL packets are not sent by the client.
• The switch maintains the EAPOL packet history. If another EAPOL packet is detected on the port
during the lifetime of the link, the guest VLAN feature is disabled. If the port is already in the guest
VLAN state, the port returns to the unauthorized state, and authentication restarts. The EAPOL
history is cleared.
• If the switch port is moved to the guest VLAN (multi-host mode), multiple non-IEEE
802.1x-capable clients are allowed access . If an IEEE 802.1x-capable client joins the same port on
which the guest VLAN is configured, the port is put in the unauthorized state in the
RADIUS-configured or user-configured access VLAN, and authentication restarts.
You can configure any active VLAN except a Remote Switched Port Analyzer (RSPAN) VLAN, a
primary private VLAN, or a voice VLAN as an IEEE 802.1x guest VLAN. The guest VLAN feature
is supported only on access ports. It is not supported on internal VLANs (routed ports) or trunk
ports.
• When MAC authentication bypass is enabled on an IEEE 802.1x port, the switch can authorize
clients based on the client MAC address if IEEE 802.1x authentication times out while waiting for
an EAPOL message exchange. After detecting a client on an IEEE 802.1x port, the switch waits for
an Ethernet packet from the client. The switch sends the authentication server a
RADIUS-access/request frame with a username and password based on the MAC address.
–
If authorization succeeds, the switch grants the client access to the network.
–
If authorization fails, the switch assigns the port to the guest VLAN if one is specified.
For more information, see the "Using IEEE 802.1x Authentication with MAC Authentication
Bypass" section in the "Configuring IEEE 802.1x Port-Based Authentication" chapter of the
software configuration guide.
For authentication-fail events:
• If the supplicant fails authentication, the port is moved to a restricted VLAN, and an EAP success
message is sent to the supplicant because it i s not notified of the actual authentication failure.
–
If the EAP success message is not sent, the supplicant tries to authenticate every 60 seconds (the
default) by sending an EAP-start message.
–
Some hosts (for example, devices running Windows XP) cannot implement DHCP until they
receive an EAP success message.
The restricted VLAN is supported only in single host mode (the default port mode). When a port is
placed in a restricted VLAN, the supplicant's MAC address is added to the MAC address table. Any
other MAC address on the port is treated as a security violation.
To Next Page
Loading...
Need help?
General
