Cisco Systems 3560 802.1x Readiness Check, 802.1x Authentication with VLAN Assignment

10-14

Catalyst 3560 Switch Software Configuration Guide

OL-8553-06

Chapter 10 Configuring IEEE 802.1x Port-Based Authentication

Understanding IEEE 802.1x Port-Based Authentication

802.1x Readiness Check

The 802.1x readiness check monitors 802.1x activity on all the switch ports and displays information

about the devices connected to the ports that support 802.1x. You can use this feature to determine if the

devices connected to the switch ports are 802.1x-capable. You use an alternate authentication such as

MAC authentication bypass or web authentication for the devices that do not support 802.1x

functionality.

This feature only works if the supplicant on the client supports a query with the NOTIFY EAP

notification packet. The client must respond within the 802.1x timeout value.

For information on configuring the switch for the 802.1x readiness check, see the “Configuring 802.1x

Readiness Check” section on page 10-34.

802.1x Authentication with VLAN Assignment

The RADIUS server sends the VLAN assignment to configure the switch port. The RADIUS server

database maintains the username-to-VLAN mappings, assigning the VLAN based on the username of

the client connected to the switch port. You can use this feature to limit network access for certain users.

Voice device authentication is supported with multidomain host mode in Cisco IOS Release 12.2(37)SE.

In Cisco IOS Release 12.2(40)SE and later, when a voice device is authorized and the RADIUS server

returned an authorized VLAN, the voice VLAN on the port is configured to send and receive packets on

the assigned voice VLAN. Voice VLAN assignment behaves the same as data VLAN assignment on

multidomain authentication (MDA)-enabled ports. For more information, see the “Multidomain

Authentication” section on page 10-11.

When configured on the switch and the RADIUS server, 802.1x authentication with VLAN assignment

has these characteristics:

• If no VLAN is supplied by the RADIUS server or if 802.1x authentication is disabled, the port is

configured in its access VLAN after successful authentication. Recall that an access VLAN is a

VLAN assigned to an access port. All packets sent from or received on this port belong to this

VLAN.

• If 802.1x authentication is enabled but the VLAN information from the RADIUS server is not valid,

authorization fails and configured VLAN remains in use. This prevents ports from appearing

unexpectedly in an inappropriate VLAN because of a configuration error.

Configuration errors could include specifying a malformed VLAN ID, a nonexistent VLAN ID, an

RSPAN VLAN, a shut down or suspended VLAN. In the case of a mutlidomain host port,

configuration errors can also be due to an attempted assignment of a data VLAN that matches the

configured or assigned voice VLAN ID (or the reverse).

• If 802.1x authentication is enabled and all information from the RADIUS server is valid, the

authorized device is placed in the specified VLAN after authentication.

• If the multiple-hosts mode is enabled on an 802.1x port, all hosts are placed in the same VLAN

(specified by the RADIUS server) as the first authenticated host.

• Enabling port security does not impact the RADIUS server-assigned VLAN behavior.

• If 802.1x authentication is disabled on the port, it is returned to the configured access VLAN and

configured voice VLAN.

• If an 802.1x port is authenticated and put in the RADIUS server-assigned VLAN, any change to the

port access VLAN configuration does not take effect. In the case of a multidomain host, the same

applies to voice devices when the port is fully authorized with these exceptions: