9-3
Cisco Catalyst Blade Switch 3130 for Dell Software Configuration Guide
OL-13270-01
Chapter9 Configuring IEEE 802 . 1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication
Authentication Protocol (EAP) extensions is the only supported authentication server. I t is a va ilable
in Cisco Secure Access Control Server Version 3.0 or later. RADIUS operates in a client/server
model in which secure authentication information is exchanged between the RADIUS server and
one or more RADIUS clients.
Switch (edge switch or wireless access point)—controls the physical access to the network based on
the authentication status of the client. The switch acts as an intermediary (proxy) betwee n the cli ent
and the authentication server, requesting identity information from the client, verifying that
information with the authentication server, and relaying a response to the client. The switch includes
the RADIUS client, which is responsible for encapsulating and decapsulating the EAP frames and
interacting with the authentication server. (The switch is the authenticator in the IEEE 802.1x
standard.)
When the switch receives EAPOL frames and relays them to the authentication se rver, the Ethernet
header is stripped, and the remaining EAP frame is re-encapsulated in the RADIUS format. The
EAP frames are not modified during encapsulation, and the authentication server must support EAP
within the native frame format. When the switch receives frames from the authenticat ion serv er, the
server’s frame header is removed, leaving the EAP frame, which is then encapsulated for Ethernet
and sent to the client.
The devices that can act as intermediaries include the Catalyst 3750-E, Catalyst 3750,
Catalyst 3560-E, Catalyst 3560, Catalyst 3550, Catalyst 2970, Catalyst 2960, Catalyst 2955,
Catalyst 2950, Catalyst 2940 switches, or a wireless access point. These devices must be running
software that supports the RADIUS client and IEEE 802.1x authentication.
Authentication Process
When IEEE 802.1x port-based authentication is enabled and t he client supports IEEE 802.1x-compliant
client software, these events occur:
If the client identity is valid and the IEEE 802.1x authentication succee ds, the swit ch g ra nts t he
client access to the network.
If IEEE 802.1x authentication times out while waiting for an EAPOL message exchange and MAC
authentication bypass is enabled, the switch can use the client MAC address for authorization. If the
client MAC address is valid and the authoriza tion su cceeds, the switch grants the cli ent acce ss to the
network. If the client MAC address is invalid and the authorization fails, the switch assigns the client
to a guest VLAN that provides limited services if a guest VLA N i s configur ed.
If the switch gets an invalid identity from an IEEE 802.1x-capable client and a restricted VLAN is
specified, the switch can assign the client to a restricted VLAN that provides limited services.
If the RADIUS authentication server is unavailable (down) and inaccessible authentication bypass
is enabled, the switch grants the client access to the network by putting the port in the
critical-authentication state in the RADIUS-configured or the user-specified access VLAN.
Note Inaccessible authentication bypass is also referred to as critical authentication or the AAA fail
policy.