Cisco Systems 3560-X, 3750-X 802.1x User Distribution

11-22

Catalyst 3750-X and 3560-X Switch Software Configuration Guide

OL-21521-01

Chapter 11 Configuring IEEE 802.1x Port-Based Authentication

Understanding IEEE 802.1x Port-Based Authentication

–

If all the RADIUS servers are not available and the client is not connected to a critical port, the

switch might not assign clients to the guest VLAN if one is configured.

–

If all the RADIUS servers are not available and if a client is connected to a critical port and was

previously assigned to a guest VLAN, the switch keeps the port in the guest VLAN.

• Restricted VLAN—If the port is already authorized in a restricted VLAN and the RADIUS servers

are unavailable, the switch puts the critical port in the critical-authentication state in the restricted

VLAN.

• 802.1x accounting—Accounting is not affected if the RADIUS servers are unavailable.

• Private VLAN—You can configure inaccessible authentication bypass on a private VLAN host port.

The access VLAN must be a secondary private VLAN.

• Voice VLAN—Inaccessible authentication bypass is compatible with voice VLAN, but the

RADIUS-configured or user-specified access VLAN and the voice VLAN must be different.

• Remote Switched Port Analyzer (RSPAN)—Do not configure an RSPAN VLAN as the

RADIUS-configured or user-specified access VLAN for inaccessible authentication bypass.

In a switch stack, the stack master checks the status of the RADIUS servers by sending keepalive

packets. When the status of a RADIUS server changes, the stack master sends the information to the

stack members. The stack members can then check the status of RADIUS servers when re-authenticating

critical ports.

If the new stack master is elected, the link between the switch stack and RADIUS server might change,

and the new stack immediately sends keepalive packets to update the status of the RADIUS servers. If

the server status changes from dead to alive, the switch re-authenticates all switch ports in the

critical-authentication state.

When a member is added to the stack, the stack master sends the member the server status.

802.1x User Distribution

You can configure 802.1x user distribution to load-balance users with the same group name across

multiple different VLANs.

The VLANs are either supplied by the RADIUS server or configured through the switch CLI under a

VLAN group name.

• Configure the RADIUS server to send more than one VLAN name for a user. The multiple VLAN

names can be sent as part of the response to the user. The 802.1x user distribution tracks all the users

in a particular VLAN and achieves load balancing by moving the authorized user to the least

populated VLAN.

• Configure the RADIUS server to send a VLAN group name for a user. The VLAN group name can

be sent as part of the response to the user. You can search for the selected VLAN group name among

the VLAN group names that you configured by using the switch CLI. If the VLAN group name is

found, the corresponding VLANs under this VLAN group name are searched to find the least

populated VLAN. Load balancing is achieved by moving the corresponding authorized user to that

VLAN.

Note The RADIUS server can send the VLAN information in any combination of VLAN-IDs, VLAN

names, or VLAN groups.