Cisco Systems 3130 Using IEEE 802.1x Authentication with Inaccessible Authentication Bypass

9-15

Cisco Catalyst Blade Switch 3130 for Dell Software Configuration Guide

OL-13270-01

Chapter9 Configuring IEEE 802 . 1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication

After a port moves to the restricted VLAN, a simulated EAP success message is sent to the client. This

prevents clients from indefinitely attempting authentication. Some clients (for example, devices runn ing

Windows XP) cannot implement DHCP without EAP success.

Restricted VLANs are supported only on IEEE 802.1x ports in single -h ost m ode a nd o n La yer 2 po rt s.

You can configure any active VLAN except an RSPAN VLAN, a primary private VLAN, or a voice

VLAN as an IEEE 802.1x restricted VLAN. The restri ct ed VLA N fe atur e is n ot su ppo rted on i nte rn al

VLANs (routed ports) or trunk ports; it is supported only on ac cess po rts.

This feature works with port security. As soon as the port is authorized, a MAC addre ss is provide d to

port security. If port security does not permit the MAC address or if the maximum secure address count

is reached, the port becomes unauthorized and error disabled.

Other port security features such as dynamic ARP Inspection, DHCP snooping, and IP source guard can

be configured independently on a restricted VLAN.

For more information, see the “Configuring a Restricted VLAN” section on page 9-35.

Using IEEE 802.1x Authentication with Inaccessible Authentication Bypass

When the switch cannot reach the configured RADIUS servers and hosts ca nno t be a uthe nti cat ed, yo u

can configure the switch to allow network access to the hosts connected to critical ports. A critical port

is enabled for the inaccessible authentication bypass feature, also referred to as critical authentication

or the AAA fail policy.

When this feature is enabled, the switch checks the status of the configured RADIUS servers whenever

the switch tries to authenticate a host connected to a critical port. If a server is available, the switch can

authenticate the host. However, if all the RADIUS servers are unavailable, the switch grants network

access to the host and puts the port in the critical-authentication state, which is a special case of the

authentication state.

The behavior of the inaccessible authentication bypass feature depends on the authorization state of th e

port:

•If the port is unauthorized when a host connected to a critical port tries to authenticate and all servers

are unavailable, the switch puts the port in the critical-authentication state in the

RADIUS-configured or user-specified access VLAN.

•If the port is already authorized and re-authentication occurs, the switch puts the critical port in the

critical-authentication state in the current VLAN, which might be the one previously assigned by

the RADIUS server.

•If the RADIUS server becomes unavailable during an authentication exchange, the current

exchanges times out, and the switch puts the critical port in the critical-authentication state during

the next authentication attempt.

When a RADIUS server that can authenticate the host is available, all critical ports in the

critical-authentication state are automatically re-authenticated.