Cisco Systems 3560-X, 3750-X Support on Multiple-Authentication Ports, Authentication Results, Feature Interactions

11-21

Catalyst 3750-X and 3560-X Switch Software Configuration Guide

OL-21521-01

Chapter 11 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication

When a new host tries to connect to the critical port, that host is moved to a user-specified access VLAN,

the critical VLAN. The administrator gives limited authentication to the hosts.

When the switch tries to authenticate a host connected to a critical port, the switch checks the status of

the configured RADIUS server. If a server is available, the switch can authenticate the host. However, if

all the RADIUS servers are unavailable, the switch grants network access to the host and puts the port

in the critical-authentication state, which is a special case of the authentication state.

Support on Multiple-Authentication Ports

To support inaccessible bypass on multiple-authentication (multiauth) ports, you can use the

authentication event server dead action reinitialize vlan vlan-id. When a new host tries to connect to

the critical port, that port is reinitialized and all the connected hosts are moved to the user-specified

access VLAN.

The authentication event server dead action reinitialize vlan vlan-id interface configuration

command is supported on all host modes.

Authentication Results

The behavior of the inaccessible authentication bypass feature depends on the authorization state of the

port:

• If the port is unauthorized when a host connected to a critical port tries to authenticate and all servers

are unavailable, the switch puts the port in the critical-authentication state in the

RADIUS-configured or user-specified access VLAN.

• If the port is already authorized and reauthentication occurs, the switch puts the critical port in the

critical-authentication state in the current VLAN, which might be the one previously assigned by

the RADIUS server.

• If the RADIUS server becomes unavailable during an authentication exchange, the current exchange

times out, and the switch puts the critical port in the critical-authentication state during the next

authentication attempt.

You can configure the critical port to reinitialize hosts and move them out of the critical VLAN when

the RADIUS server is again available. When this is configured, all critical ports in the

critical-authentication state are automatically re-authenticated. For more information, see the command

reference for this release and the “Configuring the Inaccessible Authentication Bypass Feature” on page

-53.

Feature Interactions

Inaccessible authentication bypass interacts with these features:

• Guest VLAN—Inaccessible authentication bypass is compatible with guest VLAN. When a guest

VLAN is enabled on 8021.x port, the features interact as follows:

–

If at least one RADIUS server is available, the switch assigns a client to a guest VLAN when

the switch does not receive a response to its EAP request/identity frame or when EAPOL

packets are not sent by the client.

–

If all the RADIUS servers are not available and the client is connected to a critical port, the

switch authenticates the client and puts the critical port in the critical-authentication state in the

RADIUS-configured or user-specified access VLAN.