40-38
Catalyst 6500 Series Switch Software Configuration Guide—Release 8.7
OL-8978-04
Chapter 40 Configuring 802.1X Authentication
Configuring 802.1X Authentication on the Switch
Configuring the Authentication Failure VLAN
On a traditional 802.1X port, the switch does not provide access to the network until the supplicant that
is connected to the port is authenticated by verifying its identity information with an authentication
server. With the authentication failure VLAN feature, you can configure the authentication failure VLAN on
a per-port basis and that after three failed 802.1X authentication attempts by the supplicant, the port is moved
to the authentication failure VLAN where the supplicant can access the network.
Note Contrast an authentication failure VLAN with a guest VLAN. A guest VLAN enables the non-802.1X
capable hosts to access the networks that use 802.1X authentication. You can use the guest VLANs while
you are upgrading your system to support the 802.1X authentication. Typically, the guest VLANs
support minimal services and provide minimal network access.
An authentication failure VLAN is independent of a guest VLAN. However, the guest VLAN can be the
same VLAN as the authentication failure VLAN. If you do not want to differentiate between the
non-802.1X capable hosts and the authentication failed hosts, you may configure both hosts to the same
VLAN (either a guest VLAN or an authentication failure VLAN).
For more information, see the “Understanding How 802.1X Authentication for the Guest VLAN Works”
section on page 40-9.
Authentication Failure VLAN Configuration Guidelines and Restrictions
This section describes the configuration guidelines and restrictions for configuring the authentication
failure VLAN:
• After three failed 802.1X authentication attempts by the supplicant, the port is moved to the
authentication failure VLAN where the supplicant can access the network. These three attempts
introduce a delay of 3 minutes before the port is enabled in the authentication failure VLAN and the
EAP success packet is sent to the supplicant (1 minute per failed attempt based on the default quiet
period of 60 seconds after each failed attempt).
• The number of failed 802.1X authentication attempts is counted from the time of the linkup to the
point where the port is moved into the authentication failure VLAN. When the port moves into the
authentication failure VLAN, the failed-attempts counter is reset.
• Only the authenticated failed users are moved to the authentication failure VLAN.
• The authentication failure VLAN is supported only in the single-authentication mode (the default
port mode).
• The authentication failure VLAN is not supported on a port that is configured as a unidirectional
port.
• The supplicant’s MAC address is added to the CAM table and only its MAC address is allowed on
the authentication failure VLAN port. Any new MAC address appearing on the port is treated as a
security violation.
• The authentication failure VLAN port cannot be part of an RSPAN VLAN or a private VLAN.
Note In software release 8.6(1) and later releases, a private VLAN and secondary VLAN can be
configured as the guest VLAN or authentication failure VLAN. For more information, see the
“Configuring 802.1X Authentication with Private VLANs” section on page 40-41.
To Next Page
Loading...
Need help?
General