Cisco Systems 3560 Authentication Initiation and Message Exchange

10-5

Catalyst 3560 Switch Software Configuration Guide

OL-8553-06

Chapter 10 Configuring IEEE 802.1x Port-Based Authentication

Understanding IEEE 802.1x Port-Based Authentication

The Termination-Action RADIUS attribute (Attribute [29]) specifies the action to take during

re-authentication. The actions are Initialize and ReAuthenticate. When the Initialize action is set (the

attribute value is DEFAULT), the 802.1x session ends, and connectivity is lost during

re-authentication. When the ReAuthenticate action is set (the attribute value is RADIUS-Request),

the session is not affected during re-authentication.

• You manually re-authenticate the client by entering the dot1x re-authenticate interface

interface-id privileged EXEC command.

If Multidomain authentication (MDA) is enabled on a port, this flow can be used with some exceptions

that are applicable to voice authorization. For more information on MDA, see “Multidomain

Authentication” section on page 10-11.

Authentication Initiation and Message Exchange

During 802.1x authentication, the switch or the client can initiate authentication. If you enable

authentication on a port by using the authentication port-control auto or dot1x port-control auto

interface configuration command, the switch initiates authentication when the link state changes from

down to up or periodically as long as the port remains up and unauthenticated. The switch sends an

EAP-request/identity frame to the client to request its identity. Upon receipt of the frame, the client

responds with an EAP-response/identity frame.

However, if during boot up, the client does not receive an EAP-request/identity frame from the switch,

the client can initiate authentication by sending an EAPOL-start frame, which prompts the switch to

request the client’s identity.

Note If 802.1x authentication is not enabled or supported on the network access device, any EAPOL frames

from the client are dropped. If the client does not receive an EAP-request/identity frame after three

attempts to start authentication, the client sends frames as if the port is in the authorized state. A port in

the authorized state effectively means that the client has been successfully authenticated. For more

information, see the “Ports in Authorized and Unauthorized States” section on page 10-9.

When the client supplies its identity, the switch begins its role as the intermediary, passing EAP frames

between the client and the authentication server until authentication succeeds or fails. If the

authentication succeeds, the switch port becomes authorized. If the authentication fails, authentication

can be retried, the port might be assigned to a VLAN that provides limited services, or network access

is not granted. For more information, see the “Ports in Authorized and Unauthorized States” section on

page 10-9.

The specific exchange of EAP frames depends on the authentication method being used. Figure 10-3

shows a message exchange initiated by the client when the client uses the One-Time-Password (OTP)

authentication method with a RADIUS server.