9-9
Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide
OL-10101-02
Chapter 9 Configuring IEEE 802.1x Port-Based Authentication
Understanding IEEE 802.1x Port-Based Authentication
Using IEEE 802.1x Authentication with Restricted VLAN
You can configure a restricted VLAN for each IEEE 802.1x port on a switch to provide limited services
to clients that cannot access the guest VLAN. These clients are IEEE 802.1x-compliant and cannot
access another VLAN because they fail the authentication process. A restricted VLAN allows users
without valid credentials in an authentication server (typically, visitors to an enterprise) to access a
limited set of services. The administrator can control the services available to the restricted VLAN.
Note You can configure a VLAN to be both the guest VLAN and the restricted VLAN if you want to provide
the same services to both types of users.
Without this feature, the client attempts and fails authentication indefinitely, and the switch port remains
in the spanning-tree blocking state. With this feature, you can configure the switch port to be in the
restricted VLAN after a specified number of authentication attempts (the default value is 3 attempts).
The authenticator keeps a count of failed authentication attempts for the client. When this count exceeds
the configured maximum number of authentication attempts, the port moves to the restricted VLAN. The
failed attempt count is incremented when RADIUS replies with either an EAP failure or an empty
response that contains no EAP packet. When the port moves into the restricted VLAN, the failed attempt
counter resets.
Users who fail authentication remain in the restricted VLAN until the next re-authentication attempt. A
port in the restricted VLAN tries to re-authenticate at configured intervals (the default is 60 seconds). If
re-authentication fails, the port remains in the restricted VLAN. If re-authentication is successful, the
port moves to either the configured VLAN or to a VLAN sent by the RADIUS server. You can disable
re-authentication. If you do this, the only way to start the authentication process again is for the port to
receive a link down or EAP logoff event. We recommend that you keep re-authentication enabled if a
client might connect through a hub. When a client disconnects from the hub, the port might not receive
the link down or EAP logoff event.
After a port moves to the restricted VLAN, it sends a simulated EAP success message to the client. This
prevents clients from attempting authentication indefinitely. Some clients (for example, devices running
Windows XP) cannot implement DHCP without EAP success.
Restricted VLANs are supported only on IEEE 802.1x ports in single-host mode and on Layer 2 ports.
You can configure any active VLAN except an RSPAN VLAN or a voice VLAN as an IEEE 802.1x
restricted VLAN. The restricted VLAN feature is not supported on trunk ports; it is supported only on
access ports.
This feature works with port security. As soon as the port is authorized, a MAC address is provided to
port security. If port security does not permit the MAC address or if the maximum secure address count
is reached, the port becomes unauthorized and error disabled.
Other port security features such as Dynamic ARP Inspection, DHCP snooping, and IP source guard can
be configured independently on a restricted VLAN.
For more information, see the “Configuring a Restricted VLAN” section on page 9-24.