Cisco Systems 3130 IEEE 802.1x Host Mode

9-8

Cisco Catalyst Blade Switch 3130 for Dell Software Configuration Guide

OL-13270-01

Chapter9 Configuring IEEE 802.1x Port-Based Authentication

Understanding IEEE 802.1x Port-Based Authentication

If IP connectivity to the RADIUS server is interrupted because the switch that was connected to the

server is removed or fails, these events occur:

•Ports that are already authenticated and that do not have periodic re-authentication enabled remain

in the authenticated state. Communication with the RADIUS server is not required.

•Ports that are already authenticated and that have periodic re-aut henticat ion enabled (wi th the dot1x

re-authentication global configuration command) fail the authentication process when the

re-authentication occurs. Ports return to the unauthenticated stat e du ring th e r e-au then tica tio n

process. Communication with the RADIUS server is required.

For an ongoing authentication, the authentication fails immediately because there is no server

connectivity.

If the switch that failed comes up and rejoins the switch stack, the authentications might or might not

fail depending on the boot-up time and whether the connectivity to the RADIUS server is re-established

by the time the authentication is attempted.

To avoid loss of connectivity to the RADIUS server, you should ensure that there is a redundant

connection to it. For example, you can have a redun da nt co nn ection to the stack master and another to a

stack member, and if the stack master fails, the switch stack still has connectivity to the RADIUS server.

IEEE 802.1x Host Mode

Note The switch is usually not configured in the network configuration shown in Figure 9-5.

You can configure an IEEE 802.1x port for single-host or for multiple-hosts mode. In single-host mode

(see Figure9-1 on pa ge 9-2), only one client can be connected to the IEEE 802.1x-enabled switch port.

The switch detects the client by sending an EAPOL frame when the port link state changes to the up

state. If a client leaves or is replaced with another client, the switch changes the port link state to down,

and the port returns to the unauthorized state.

In multiple-hosts mode, you can attach multiple hosts to a single IEEE 802.1x-enabled port. Figure9-5

on page 9-9 shows IEEE 802.1x port-based authentication in a wireless LAN. In this mode, only one of

the attached clients must be authorized for all clients to be granted network access. If the port becomes

unauthorized (re-authentication fails or an EAPOL-logoff message is received), the switch denies

network access to all of the attached clients. In this topology, the wireless access point is responsible for

authenticating the clients attached to it, and it also acts as a client to the switch.

With the multiple-hosts mode enabled, you can use IEEE 802.1x authentication to authenticate the port

and port security to manage network access for all MAC addresses, including that of the client.