49-11
Catalyst 4500 Series Switch, Cisco IOS Software Configuration Guide - Cisco IOS XE 3.9.xE and IOS 15.2(5)Ex
Chapter 49 Configuring 802.1X Port-Based Authentication
About 802.1X Port-Based Authentication
Guest VLANs are supported on a per-port basis, and you can use any VLAN as a guest VLAN as long as its type matches the
type of the port. If a port is already forwarding on the guest VLAN and you enable 802.1X support on the network interface of
the host, the port is immediately moved out of the guest VLAN and the authenticator waits for authentication to occur.
Enabling 802.1X authentication on a port starts the 802.1X protocol. If the host fails to respond to packets from the
authenticator within a certain amount of time, the authenticator brings the port up in the configured guest VLAN.
If the port is configured as a PVLAN host port, the guest VLAN must be a secondary PVLAN. If the port is configured as an
access port, the guest VLAN must be a regular VLAN. If the guest VLAN configured on a port is not appropriate for the type
of the port, the switch behaves as if no guest VLAN is configured (that is, non-responsive hosts are denied network access).
For details on how to configure guest VLANs, see the “Configuring 802.1X with Guest VLANs” section on page 49-57.
Usage Guidelines for Using 802.1X Authentication with Guest VLANs
When using 802.1X authentication with guest VLANs, consider these guidelines:
• When you reconfigure a guest VLAN to a different VLAN, any authentication failed ports are also moved and the ports
stay in their current authorized state.
• When you shut down or remove a guest VLAN from the VLAN database, any authentication failed ports are immediately
moved to an unauthorized state and the authentication process is restarted.
Note No periodic reauthentication is allowed with guest VLANs.
Usage Guidelines for Using 802.1X Authentication with Guest VLANs on Windows-XP Hosts
When using 802.1X authentication with guest VLANs on Windows-XP hosts, consider these guidelines:
• If the host fails to respond to the authenticator, the port attempts to connect three times (with a 30 second timeout between
each attempt). After this time, the login/password window does not appear on the host, so you must unplug and reconnect
the network interface cable.
• Hosts responding with an incorrect login/password fail authentication. Hosts failing authentication are not put in the guest
VLAN. The first time that a host fails authentication, the quiet-period timer starts, and no activity occurs for the duration
of the quiet-period timer. When the quiet-period timer expires, the host is presented with the login and password window.
If the host fails authentication for the second time, the quiet-period timer starts again, and no activity occurs for the
duration of the quiet-period timer. The host is presented with the login and password window a third time. If the host fails
authentication the third time, the port is placed in the unauthorized state, and you must disconnect and reconnect the
network interface cable.
Using 802.1X with MAC Authentication Bypass
The 802.1X protocol has 3 entities: client (supplicant), authenticator, and authentication server. Typically, the host PC runs the
supplicant software and tries to authenticate itself by sending its credentials to the authenticator which in turn relays that info
to the authentication server for authentication.
However, not all hosts may have supplicant functionality. Devices that cannot authenticate themselves using 802.1X but still
need network access can use MAC Authentication Bypass (MAB), which uses the connecting device's MAC address to grant
or deny network access.
Typically, you use this feature on ports where devices such as printers are connected. Such devices do not have 802.1X
supplicant functionality.
To Next Page
Loading...
