201
Configuring IEEE 802.1x Port-Based Authentication
Information About Configuring IEEE 802.1x Port-Based Authentication
Follow these guidelines to enable the readiness check on the switch:
The readiness check is typically used before 802.1x is enabled on the switch.
The 802.1x readiness check is allowed on all ports that can be configured for 802.1x. The readiness check is not
available on a port that is configured as dot1x force-unauthorized.
If you use the dot1x test eapol-capable privileged EXEC command without specifying an interface, all the ports on
the switch stack are tested.
When you configure the dot1x test eapol-capable command on an 802.1x-enabled port, and the link comes up,
the port queries the connected client about its 802.1x capability. When the client responds with a notification packet,
it is 802.1x-capable. A syslog message is generated if the client responds within the timeout period. If the client
does not respond to the query, the client is not 802.1x-capable. No syslog message is generated.
The readiness check can be sent on a port that handles multiple hosts (for example, a PC that is connected to an IP
phone). A syslog message is generated for each of the clients that respond to the readiness check within the timer
period.
For information on configuring the switch for the 802.1x readiness check, see Configuring 802.1x Readiness Check,
page 220.
802.1x Authentication with VLAN Assignment
The RADIUS server sends the VLAN assignment to configure the switch port. The RADIUS server database maintains the
username-to-VLAN mappings, assigning the VLAN based on the username of the client connected to the switch port.
You can use this feature to limit network access for certain users.
When a voice device is authorized and the RADIUS server returns an authorized VLAN, the voice VLAN on the port is
configured to send and receive packets on the assigned voice VLAN. Voice VLAN assignment behaves the same as data
VLAN assignment on multidomain authentication (MDA)-enabled ports. For more information, see Multidomain
Authentication, page 197.
When configured on the switch and the RADIUS server, 802.1x authentication with VLAN assignment has these
characteristics:
If no VLAN is supplied by the RADIUS server or if 802.1x authentication is disabled, the port is configured in its
access VLAN after successful authentication. Recall that an access VLAN is a VLAN assigned to an access port. All
packets sent from or received on this port belong to this VLAN.
If 802.1x authentication is enabled but the VLAN information from the RADIUS server is not valid, authorization fails
and configured VLAN remains in use. This prevents ports from appearing unexpectedly in an inappropriate VLAN
because of a configuration error.
Configuration errors could include specifying a VLAN for a routed port, a malformed VLAN ID, a nonexistent or
internal (routed port) VLAN ID, an RSPAN VLAN, a shut down or suspended VLAN. In the case of a mutlidomain host
port, configuration errors can also be due to an attempted assignment of a data VLAN that matches the configured
or assigned voice VLAN ID (or the reverse).
If 802.1x authentication is enabled and all information from the RADIUS server is valid, the authorized device is
placed in the specified VLAN after authentication.
If the multiple-hosts mode is enabled on an 802.1x port, all hosts are placed in the same VLAN (specified by the
RADIUS server) as the first authenticated host.
Enabling port security does not impact the RADIUS server-assigned VLAN behavior.
If 802.1x authentication is disabled on the port, it is returned to the configured access VLAN and configured voice
VLAN.
To Next Page
Loading...
Need help?
General