10-5
Catalyst2950 and Catalyst2955 Switch Software Configuration Guide
78-11380-10
Chapter10 Configuring 802.1x Port -Based Authentication Understanding 802.1x Port-Based Authentication
received. The switch requests the identity of the client and begins relaying authentication messages
between the client and the authentication server. Each client attempting to access the network is
uniquely identified by the switch by using the client’s MAC address.
If the client is successfully authenticated (receives an Accept frame fro m the au th en tic atio n server), the
port state changes to authorized, and all frames from the authenticated client are allowed through the
port. If the authentication fails, the port remains in the unauthorized state, but authentication can be
retried. If the authentication server cannot be reached, the switch can resend the request. If no response
is received from the server after the specified number of attempts, authentication fails, and network
access is not granted.
When a client logs off, it sends an EAPOL-logoff message, causing the switch port to transition to the
unauthorized state.
If the link state of a port transitions from up to down, or if an EAPOL-logoff frame is received, the port
returns to the unauthorized state.
802.1x Accounting
The IEEE 802.1x standard defines how users are authorized and authenticated for network access but
does not keep track of network usage. 802.1x accounting is disabled by default. You can enable 802.1x
accounting to monitor this activity on 802.1x-enabled port s:
User successfully authenticates.
User logs off.
Link-down occurs.
Re-authentication successfully occurs.
Re-authentication fails.
The switch does not log 802.1x accounting information. Instead, it sends this information to the
RADIUS server, which must be configured to log accounting messages.
Supported Topologies
The 802.1x port-based authentication is supported in two top ol og ies:
Point-to-point
Wireless LAN
In a point-to-point configuration (see Figure 10-1 on page 10-2), only one client can be connected to the
802.1x-enabled switch port. The switch detects the client when the port link state changes to the up state.
If a client leaves or is replaced with another client, the switch changes the port link state to down, and
the port returns to the unauthorized state.
Figure 10-3 shows 802.1x port-based authentication in a wireless LAN. T he 80 2. 1x port is c on figured
as a multiple-hosts port that becomes authorized as soon as one client is authenticated. When the port is
authorized, all other hosts indirectly attached to the port are granted access to the network. If the port
becomes unauthorized (re-authentication fails or an EAPOL-logoff message is received), the switch
denies access to the network to all of the attached clients. In this topology, the wireless access point is
responsible for authenticating the clients attached to it, and the wireless access point acts as a client to
the switch.