Cisco Systems IE3010 802.1x Authentication with Inaccessible Authentication Bypass

10-23

Cisco IE 3010 Switch Software Configuration Guide

OL-23145-01

Chapter 10 Configuring IEEE 802.1x Port-Based Authentication

Understanding IEEE 802.1x Port-Based Authentication

Restricted VLANs are supported only on 802.1x ports in single-host mode and on Layer 2 ports.

You can configure any active VLAN except an RSPAN VLAN, a primary private VLAN, or a voice

VLAN as an 802.1x restricted VLAN. The restricted VLAN feature is not supported on i nternal VLANs

(routed ports) or trunk ports; it is supported only on access ports.

This feature works with port security. As soon as the port is authorized, a MAC address is provided to

port security. If port security does not permit the MAC address or if the maximum secure address count

is reached, the port becomes unauthorized and error disabled.

Other port security features such as dynamic ARP Inspection, DHCP snooping, and IP source guard can

be configured independently on a restricted VLAN.

For more information, see the “Configuring a Restricted VLAN” section on page 10-52.

802.1x Authentication with Inaccessible Authentication Bypass

Use the inaccessible authentication bypass feature, also referred to as critical authentication or the AAA

fail policy, when the switch cannot reach the configured RADIUS servers and new hosts cannot be

authenticated. You can configure the switch to connect those hosts to critical ports.

When a new host tries to connect to the critical port, that host is moved to a user-specified access VLAN,

the critical VLAN. The administrator gives limited authentication to the hosts.

When the switch tries to authenticate a host connected to a critical port, the switch checks the status of

the configured RADIUS server. If a server is available, the switch can authenticate the host. However, if

all the RADIUS servers are unavailable, the switch grants network access to the host and puts the port

in the critical-authentication state, which is a special case of the authentication state.

To support inaccessible bypass on multiple-authentication (multiauth) ports, you can use the

authentication event server dead action reinitialize vlan vlan-id. When a new host tries to connect to

the critical port, that port is reinitialized and all the connected hosts are moved to the user-specified

access VLAN.

The authentication event server dead action reinitialize vlan vlan-id interface configuration

command is supported on all host modes.

The behavior of the inaccessible authentication bypass feature depends on the authorization state of th e

port:

• If the port is unauthorized when a host connected to a critical port tries to authenticate and all servers

are unavailable, the switch puts the port in the critical-authentication state in the

RADIUS-configured or user-specified access VLAN.

• If the port is already authorized and reauthentication occurs, the switch puts the critical port in the

critical-authentication state in the current VLAN, which might be the one previously assigned by

the RADIUS server.

• If the RADIUS server becomes unavailable during an authentication exchange, the current exchange

times out, and the switch puts the critical port in the critical-authentication state during the next

authentication attempt.