Cisco Systems 3560 802.1x Authentication with Inaccessible Authentication Bypass

10-19

Catalyst 3560 Switch Software Configuration Guide

OL-8553-06

Chapter 10 Configuring IEEE 802.1x Port-Based Authentication

Understanding IEEE 802.1x Port-Based Authentication

restricted VLAN allows users without valid credentials in an authentication server (typically, visitors to

an enterprise) to access a limited set of services. The administrator can control the services available to

the restricted VLAN.

Note You can configure a VLAN to be both the guest VLAN and the restricted VLAN if you want to provide

the same services to both types of users.

Without this feature, the client attempts and fails authentication indefinitely, and the switch port remains

in the spanning-tree blocking state. With this feature, you can configure the switch port to be in the

restricted VLAN after a specified number of authentication attempts (the default value is 3 attempts).

The authenticator counts the failed authentication attempts for the client. When this count exceeds the

configured maximum number of authentication attempts, the port moves to the restricted VLAN. The

failed attempt count increments when the RADIUS server replies with either an EAP failure or an empty

response without an EAP packet. When the port moves into the restricted VLAN, the failed attempt

counter resets.

Users who fail authentication remain in the restricted VLAN until the next re-authentication attempt. A

port in the restricted VLAN tries to re-authenticate at configured intervals (the default is 60 seconds). If

re-authentication fails, the port remains in the restricted VLAN. If re-authentication is successful, the

port moves either to the configured VLAN or to a VLAN sent by the RADIUS server. You can disable

re-authentication. If you do this, the only way to restart the authentication process is for the port to

receive a link down or EAP logoff event. We recommend that you keep re-authentication enabled if a

client might connect through a hub. When a client disconnects from the hub, the port might not receive

the link down or EAP logoff event.

After a port moves to the restricted VLAN, a simulated EAP success message is sent to the client. This

prevents clients from indefinitely attempting authentication. Some clients (for example, devices running

Windows XP) cannot implement DHCP without EAP success.

Restricted VLANs are supported only on 802.1x ports in single-host mode and on Layer 2 ports.

You can configure any active VLAN except an RSPAN VLAN, a primary private VLAN, or a voice

VLAN as an 802.1x restricted VLAN. The restricted VLAN feature is not supported on internal VLANs

(routed ports) or trunk ports; it is supported only on access ports.

This feature works with port security. As soon as the port is authorized, a MAC address is provided to

port security. If port security does not permit the MAC address or if the maximum secure address count

is reached, the port becomes unauthorized and error disabled.

Other port security features such as dynamic ARP Inspection, DHCP snooping, and IP source guard can

be configured independently on a restricted VLAN.

For more information, see the “Configuring a Restricted VLAN” section on page 10-47.

802.1x Authentication with Inaccessible Authentication Bypass

When the switch cannot reach the configured RADIUS servers and hosts cannot be authenticated, you

can configure the switch to allow network access to the hosts connected to critical ports. A critical port

is enabled for the inaccessible authentication bypass feature, also referred to as critical authentication

or the AAA fail policy.