Cisco Systems 3130

9-19

Cisco Catalyst Blade Switch 3130 for Dell Software Configuration Guide

OL-13270-01

Chapter9 Configuring IEEE 802 . 1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication

frame with a username and password based on the MAC address. If author izat ion suc ceeds, the sw itch

grants the client access to the network. If authorization fails, the switch assigns the port to the guest

VLAN if one is configured.

If an EAPOL packet is detected on the interface during the lifetime of the link, the switch determines

that the device connected to that interface is an IEEE 802.1x -cap ab le suppl ic an t an d use s I EE E 802 .1x

authentication (not MAC authentication bypass) to authorize the interface. EAPOL history is cleared if

the interface link status goes down.

If the switch already authorized a port by using MAC authentication bypass and detects an IEEE 802.1x

supplicant, the switch does not unauthorize the client connected to the port. When re-authenticati on

occurs, the switch uses IEEE 802.1x authentication as the p refe rred re -aut hent ic ati on pr oc ess if the

previous session ended because the Termination-Action RADIUS attribute value is DEFAULT.

Clients that were authorized with MAC authentication bypass can be re-authenticated. The

re-authentication process is the same as that for clients that were authenticated with IE EE 802. 1x.

During re-authentication, the port remains in the previously assigned VLAN. If re-authentication is

successful, the switch keeps the port in the same VLAN. If re-authentication fails, the switch assigns the

port to the guest VLAN, if one is configured.

If re-authentication is based on the Session-Timeout RADIUS attribute (Attribute[27]) and the

Termination-Action RADIUS attribute (Attribute [29]) and if the Termination-Action RADIUS attribute

(Attribute [29]) action is Initialize, (the attribute value is DEFAULT), the MAC authentication bypass

session ends, and connectivity i s lost during re-authentication. If MAC authentication bypass is ena bled

and the IEEE 802.1x authentication times out, the switch uses the MAC authenticatio n b ypass fea ture to

initiate re-authorization. For more information about these AV pairs, see RFC 3580, “IEEE 802.1X

Remote Authentication Dial In User Service (RADIUS) Usage Guidelines.”

MAC authentication bypass interacts with the features:

•IEEE 802.1x authentication—You can enable MAC authentication bypass only if IEEE 802.1x

authentication is enabled on the port.

•Guest VLAN—If a client has an invalid MAC address identity, the switch assigns the client to a

guest VLAN if one is configured.

•Restricted VLAN—This feature is not supported when th e client connected to an IEEE 802.lx port

is authenticated with MAC authentication bypass.

•Port security—See the “Using IEEE 802.1x Authentication with Port Security” section on

page 9-17.

•Voice VLAN—See the “Using IEEE 802.1x Authentication with Voice VLAN Ports” section on

page 9-16.

•VLAN Membership Policy Server (VMPS)—IEEE802.1x and VMPS are mutual ly exclusive.

•Private VLAN—You can assign a client to a private VLAN.

•Network admission control (NAC) Layer 2 IP validation—This feature takes effect after an

IEEE 802.1x port is authenticated with MAC authentication bypass, including hosts in t he exception

list.