1-13
z The RADIUS server has the switch perform 802.1x re-authentication of users. The RADIUS server
sends the switch an Access-Accept packet with the Termination-Action attribute field of 1. Upon
receiving the packet, the switch re-authenticates the user periodically.
z You enable 802.1x re-authentication on the switch. With 802.1x re-authentication enabled, the
switch re-authenticates users periodically.
802.1x re-authentication will fail if a CAMS server is used and configured to perform authentication but
not accounting. This is because a CAMS server establishes a user session after it begins to perform
accounting. Therefore, to enable 802.1x re-authentication, do not configure the accounting none
command in the domain. This restriction does not apply to other types of servers.
Introduction to 802.1x Configuration
802.1x provides a solution for authenticating users. To implement this solution, you need to execute
802.1x-related commands. You also need to configure AAA schemes on switches and specify the
authentication scheme (RADIUS or local authentication scheme).
Figure 1-11 802.1x configuration
ISP domain
configuration AAA scheme
Local
authentication
RADIUS
scheme
802.1x
configuration
ISP domain
configuration AAA scheme
Local
authentication
RADIUS
scheme
802.1x
configuration
z 802.1x users use domain names to associate with the ISP domains configured on switches
z Configure the AAA scheme (a local authentication scheme or a RADIUS scheme) to be adopted in
the ISP domain.
z If you specify to use a local authentication scheme, you need to configure the user names and
passwords manually on the switch. Users can pass the authentication through 802.1x client if they
provide user names and passwords that match those configured on the switch.
z If you specify to adopt the RADIUS scheme, the supplicant systems are authenticated by a remote
RADIUS server. In this case, you need to configure user names and passwords on the RADIUS
server and perform RADIUS client-related configuration on the switches.
z You can also specify to adopt the RADIUS authentication scheme, with a local authentication
scheme as a backup. In this case, the local authentication scheme is adopted when the RADIUS
server fails.
Refer to the AAA Operation for detailed information about AAA scheme configuration.