40-25
Software Configuration Guide—Release 15.0(2)SG
OL-23818-01
Chapter 40 Configuring 802.1X Port-Based Authentication About 802.1X Port-Based Authentication
Host Authorization— Ensures that only traffic from authorized hosts (connecting to the switch with
a supplicant) is allowed on the network. The switches use Client Information Signalling Protocol
(CISP) to send the MAC addresses connecting the supplicant switch to the authenticator switch.
Auto enablement—Automatically enables trunk configuration on the authenticator switch, allowing
user traffic from multiple VLANs arising from supplicant switches. At the ACS, you must configure
the Cisco AV pair as device-traffic-class=switch. For details on how to do this, see the “Configuring
an Authenticator and a Supplicant Switch with NEAT” section on page 40-85.
How 802.1X Fails on a Port
802.1X may fail on a port in three ways: timeout, explicit failure, and protocol timeout.
Timeout—A switch attempts 802.1X at link up but the attached endpoint is not 802.1X-capable.
After the configured number of retries and timeouts, the switch attempts the next authentication
method if one is configured (like MAB). If MAB fails, the switch deploys the Guest VLAN (also
called the no-response VLAN), if configured. The Guest VLAN is configured with the
authentication event no-response interface command.
Explicit Failure—A switch and the endpoint perform the entire 802.1X authentication sequence and
the result is an explicit failure (usually indicated by an Access-Reject from the RADIUS server to
the switch and an EAP-Failure sent from the switch to the endpoint). In this case, the switch
attempts MAB (if "authentication event failure action next-method" is configured) or deploy the
AuthFail VLAN (if "authentication event failure action authorize vlan" is configured).
Protocol Timeout—A switch and the endpoint start the 802.1X authentication process but do not
complete it. For example, the endpoint may send an 802.1X EAPoL-Start message and then stop
responding to the switch (perhaps, because the endpoint lacks a credential or because it is waiting
for end user to enter some information). In this case, the switch knows that the connected device is
EAPoL-capable, so it will not deploy the Guest VLAN after timing out. Instead, it restarts
authentication after a timeout. The switch continues to label the port as EAPoL-capable until a
physical link down event is detected. To force the switch to deploy the Guest VLAN in the case of
a protocol timeout, configure dot1x guest-vlan supplicant globally. If the port is configured for
hostmode multi-domain authentication, the switch behaves as if dot1x guest-vlan supplicant is
configured.
Supported Topologies
The 802.1X port-based authentication supports two topologies:
Point-to-point
Wireless L AN
In a point-to-point configuration (see Figure 40-1 on page 40-3), only one client can be connected to the
802.1X-enabled switch port when the multiple- host mode is not enabled (the default). The switch
detects the client when the port link state changes to the up state. If a client leaves or is replaced with
another client, the switch changes the port link state to down, and the port returns to the unauthorized
state.
For 802.1X port-based authentication in a wireless LAN (Figure 40-9), you must configure the 802.1X
port as a multiple-host port that is authorized as a wireless access point once the client is authenticated.
(See the “Resetting the 802.1X Configuration to the Default Values” section on page 40-92.) When the
port is authorized, all other hosts that are indirectly attached to the port are granted access to the network.
If the port becomes unauthorized (reauthentication fails or an EAPOL-logoff message is received), the