10-8
Catalyst2950 and Catalyst2955 Switch Software Configuration Guide
78-11380-10
Chapter10 Configuring 802.1x Port-Based Authentication
Understanding 802.1x Port-Based Authentication
If an 802.1x port is authenticated and put in the RADIUS server assigned VLAN, any change to th e
port access VLAN configuration does not take effect.
The 802.1x with VLAN assignment feature is not supported on trunk ports, dynamic ports, or with
dynamic-access port assignment through a VLAN Membership Policy Server (VMPS).
To configure VLAN assignment you need to perform these tasks:
Enable AAA authorization.
Enable 802.1x (the VLAN assignment feature is automatically enabled whe n you configure 802.1x
on an access port).
Assign vendor-specific tunnel attributes in the RADIUS server. The RADIUS server must return
these attributes to the switch:
[64] Tunnel-Type = VLAN
[65] Tunnel-Medium-Type = 802
[81] Tunnel-Private-Group-ID = VLAN name or VLAN ID
Attribute [64] must contain the value VLAN (type 13). Attribute [65] must contain the value 802
(type 6). Attribute [81] specifies the VLAN name or VLAN ID assigned to the 802.1x-auth enticated
user.
For examples of tunnel attributes, see the “Configuring the Switch to Use Vendor-Specific RADIUS
Attributes” section on page9-29.
Using 802.1x with Guest VLAN
For switches running the EI, you can configure a guest VLAN for each 802.1x port on the switch to
provide limited services to clients (for example, how to download the 802.1x client). These clien ts might
be upgrading their system for 802.1x authentication, and some ho sts, s uch a s Windows 98 systems,
might not be 802.1x-capable.
If an 802.1x port is configured, the switch assigns clients to a guest VLAN for the 802.1x port when one
of these situations occurs:
The authentication server does not receive a response to its EAPOL request/identity frame.
802.1x EAPOL packets are not sent by the client.
New 802.1x EAPOL packets are sent by the client, but authentication fails.
Any number of hosts are allowed access when the switch port is moved to the guest VLAN. If an
802.1x-capable host joins the same port on which the guest VLAN is configured, the port is put into the
unauthorized state in the user-configured access VLAN, and authentication is restarted.
Any number of hosts are allowed access once the switch port is moved to the guest VLAN. If an
802.1x-capable host joins the same port on which the guest VLAN is configured, the port is put into the
unauthorized state in the user-configured access VLAN, and authentication is restarted.
Guest VLANs are supported on 802.1x ports in single-host and multiple-hosts modes.
You can configure any VLAN, except RSPAN VLANs or voice VLAN IDs (VVIDs), as an 802.1x guest
VLAN. The guest VLAN feature is not supported on trunk ports; it is supported only on access ports.
For configuration steps, see the “Configuring a Guest VLAN” section on page 10-18.