9-4
Cisco Catalyst Blade Switch 3130 for Dell Software Configuration Guide
OL-13270-01
Chapter9 Configuring IEEE 802.1x Port-Based Authentication
Understanding IEEE 802.1x Port-Based Authentication
Figure 9-2 shows the authentication process.If Multi Domain Authentication (MDA) is enabled on a port, this flow can be used with so me except ions that are applicable to voice authorization. For more information on MDA, see “Using Multidomain Authentication” section on page 9-20.
Figure9-2 Authentication Flowchart
The switch re-authenticates a client when one of these situations occurs:
Periodic re-authentication is enabled, and the re-authenti cat ion tim er expir es.
You can configure the re-authentication timer to use a switch-specific value or to be based on values from the RADIUS server.After IEEE 802.1x authentication using a RADIUS server is configured, the switch uses timers based on the Session-Timeout RADIUS attribute (Attribute[27]) and the Termination-Action RADIUS attribute (Attribute [29]).
141679
Yes
No
Client
identity is
invalid
All authentication
servers are down. All authentication
servers are down.
Client
identity is
valid
The switch gets an
EAPOL message,
and the EAPOL
message
exchange begins.
Yes No
1
1
1
1 = This occurs if the switch does not detect EAPOL packets from the client.
Client MAC
address
identity
is invalid.
Client MAC
address
identity
is valid.
Is the client IEEE
802.1x capable?
Start IEEE 802.1x port-based
authentication.
Use inaccessible
authentication bypass
(critical authentication)
to assign the critical
port to a VLAN.
IEEE 802.1x authentication
process times out. Is MAC authentication
bypass enabled?
Use MAC authentication
bypass.
Assign the port to
a guest VLAN.
Start
Done
Assign the port to
a VLAN.
Done
Done
Assign the port to
a VLAN.
Done
Assign the port to
a restricted VLAN.
Done