10-30
Catalyst 2960 and 2960-S Switch Software Configuration Guide
OL-8603-09
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication
Understanding IEEE 802.1x Port-Based Authentication
802.1x Authentication with MAC Authentication Bypass
You can configure the switch to authorize clients based on the client MAC address (see Figure 10-2 on
page 10-5) by using the MAC authentication bypass feature. For example, you can enable this feature
on 802.1x ports connected to devices such as printers.
If 802.1x authentication times out while waiting for an EAPOL response from the client, the switch tries
to authorize the client by using MAC authentication bypass.
When the MAC authentication bypass feature is enabled on an 802.1x port, the switch uses the MAC
address as the client identity. The authentication server has a database of client MAC addresses that are
allowed network access. After detecting a client on an 802.1x port, the switch waits for an Ethernet
packet from the client. The switch sends the authentication server a RADIUS-access/request frame with
a username and password based on the MAC address. If authorization succeeds, the switch grants the
client access to the network. If authorization fails, the switch assigns the port to the guest VLAN if one
is configured.
If an EAPOL packet is detected on the interface during the lifetime of the link, the switch determines
that the device connected to that interface is an 802.1x-capable supplicant and uses 802.1x
authentication (not MAC authentication bypass) to authorize the interface. EAPOL history is cleared if
the interface link status goes down.
If the switch already authorized a port by using MAC authentication bypass and detects an 802.1x
supplicant, the switch does not unauthorize the client connected to the port. When re-authenticati on
occurs, the switch uses 802.1x authentication as the pre ferred re-authentication process if the previous
session ended because the Termination-Action RADIUS attribute value is DEFAULT.
Clients that were authorized with MAC authentication bypass can be re-authenticated. The
re-authentication process is the same as that for clients that were authenticated with 802.1x. During
re-authentication, the port remains in the previously assigned VLAN. If re-authentication is successful,
the switch keeps the port in the same VLAN. If re-authentication fails, the switch assigns the port to the
guest VLAN, if one is configured.
If re-authentication is based on the Session-Timeout RADIUS attribute (Attribute[27]) and the
Termination-Action RADIUS attribute (Attribute [29]) and if the Termination-Action RADIUS attribute
(Attribute [29]) action is Initialize, (the attribute value is DEFAULT), the MAC authentication bypass
session ends, and connectivity is lost during re-authentication. If MAC authentication bypass is enabled
and the 802.1x authentication times out, the switch uses the MAC authentication bypass feature to
initiate re-authorization. For more information about these AV pairs, see RFC 3580, “802.1X Remote
Authentication Dial In User Service (RADIUS) Usage Guidelines.”
MAC authentication bypass interacts with the features:
802.1x authentication—You can enable MAC authentication bypass only if 802.1x authentication is
enabled on the port.
Guest VLAN—If a client has an invalid MAC address identity, the switch assigns the client to a
guest VLAN if one is configured.
Restricted VLAN—This feature is not supported when the client connected to an 802. lx port is
authenticated with MAC authentication bypass.
Port security—See the “802.1x Authentication with Port Security” section on page 10-28.
Voice VLAN—See the “802.1x Authentication with Voice VLAN Ports” section on page 10-27.
VLAN Membership Policy Server (VMPS)—802.1x and VMPS are mutually excl usive.
Private VLAN—You can assign a client to a private VLAN.
For more configuration information, see the Authentication Manager” section on page 10-8.