Cisco Systems IE 2000 Switch-to-RADIUS-Server Communication, Authentication Initiation and Message Exchange

13-4

Cisco IE 2000 Switch Software Configuration Guide

OL-25866-01

Chapter 13 Configuring IEEE 802.1x Port-Based Authentication

Information About Configuring IEEE 802.1x Port-Based Authentication

The switch reauthenticates a client when one of these situations occurs:

• Periodic reauthentication is enabled, and the reauthentication timer expires.

You can configure the reauthentication timer to use a switch-specific value or to be based on values

from the RADIUS server.

After 802.1x authentication using a RADIUS server is configured, the switch uses timers based on

the Session-Timeout RADIUS attribute (Attribute[27]) and the Termination-Action RADIUS

attribute (Attribute [29]).

The Session-Timeout RADIUS attribute (Attribute[27]) specifies the time after which

reauthentication occurs.

The Termination-Action RADIUS attribute (Attribute [29]) specifies the action to take during

reauthentication. The actions are Initialize and ReAuthenticate. When the Initialize action is set (the

attribute value is DEFAULT), the 802.1x session ends, and connectivity is lost during

reauthentication. When the ReAuthenticate action is set (the attribute value is RADIUS-Request),

the session is not affected during reauthentication.

• You manually reauthenticate the client by entering the dot1x re-authenticate interface interface-id

privileged EXEC command.

If multidomain authentication (MDA) is enabled on a port, this flow can be used with some exceptions

that are applicable to voice authorization. For more information on MDA, see the “Multidomain

Authentication” section on page 13-10.

Switch-to-RADIUS-Server Communication

RADIUS security servers are identified by their hostname or IP address, hostname and specific UDP port

numbers, or IP address and specific UDP port numbers. The combination of the IP address and the UDP

port number creates a unique identifier, which enables RADIUS requests to be sent to multiple UDP

ports on a server at the same IP address. If two different host entries on the same RADIUS server are

configured for the same service—for example, authentication—the second host entry configured acts as

the failover backup to the first one. The RADIUS host entries are tried in the order in which they were

configured.

Authentication Initiation and Message Exchange

During 802.1x authentication, the switch or the client can initiate authentication. If you enable

authentication on a port by using the authentication port-control auto interface configuration

command, the switch initiates authentication when the link state changes from down to up or periodically

as long as the port remains up and unauthenticated. The switch sends an EAP-request/identity fr ame to

the client to request its identity. Upon receipt of the frame, the client responds with an

EAP-response/identity frame.

However, if during boot up, the client does not receive an EAP-request/identity frame from the switch,

the client can initiate authentication by sending an EAPOL-start frame, which prompts the switch to

request the client’s identity.