Cisco Systems 3130 Configuring IEEE 802.1x Authentication

9-26

Cisco Catalyst Blade Switch 3130 for Dell Software Configuration Guide

OL-13270-01

Chapter9 Configuring IEEE 802.1x Port-Based Authentication

Configuring IEEE 802.1x Authentication

the IEEE 802.1x authentication process (dot1x timeout quiet-period and dot1x timeout tx-period

interface configuration commands). The amount to decrease the settings depends on t he conne cte d

IEEE 802.1x client type.

•When configuring the inaccessible authentication bypass feature, follow these guidelines:

–

The feature is supported on IEEE 802.1x port in single-host m ode and m ultih osts mode .

–

If the client is running Windows XP and the port to which the client is connected is in the

critical-authentication state, Windows XP might report that the interface is not authenticated.

–

If the Windows XP client is configured for DHCP and has an IP address from the DHCP server,

receiving an EAP-Success message on a critical port might not re-initiate the DHCP

configuration process.

–

You can configure the inaccessible authentication bypass feature and the restricted VLAN on

an IEEE 802.1x port. If the switch tries to re-authenticate a critical port in a restricted VLAN

and all the RADIUS servers are unavailable, switch changes the port state to the critical

authentication state and remains in the restricted VLAN.

–

You can configure the inaccessible bypass feature and port security on the same switch port.

•You can configure any VLAN except an RSPAN VLAN or a voice VLAN as an IEEE 802.1x

restricted VLAN. The restricted VLAN feature is not supported on internal VLANs (routed ports)

or trunk ports; it is supported only on access ports.

MAC Authentication Bypass

These are the MAC authentication bypass configuration guidelines:

•Unless otherwise stated, the MAC authentication bypass guidelines are the same as the IEEE 802.1x

authentication guidelines. For more information, see the “IEEE 802.1x Authentication” section on

page 9-24.

•If you disable MAC authentication bypass from a port after the port ha s b een au thori ze d wi th its

MAC address, the port state is not affected.

•If the port is in the unauthorized state and the client MAC address is not the authentication-server

database, the port remains in the unauthorized state. However , if the clien t MAC address is added to

the database, the switch can use MAC authentication bypass to re-authorize the port.

•If the port is in the authorized state, the port remains in this state until re-authorization occurs.

Configuring IEEE 802.1x Authentication

To configure IEEE 802.1x port-based authentication, you must enable authentication, authorizati on, and

accounting (AAA) and specify the authentication method list. A method list describes the sequence and

authentication method to be queried to authenticate a user.

To allow per-user ACLs or VLAN assignment, you must enable AAA auth oriz ati on t o configur e th e

switch for all network-related service requests.

This is the IEEE 802.1x AAA process:

Step1 A user connects to a port on the switch.

Step2 Authentication is performed.

Step3 VLAN assignment is enabled, as appropriate, based on the RA DIU S se r ver configura tio n.