13-5
Cisco IE 2000 Switch Software Configuration Guide
OL-25866-01
Chapter 13 Configuring IEEE 802.1x Port-Based Authentication
Information About Configuring IEEE 802.1x Port-Based Authentication
Note If 802.1x authentication is not enabled or supported on the network access device, any EAPOL frames
from the client are dropped. If the client does not receive an EAP-request/identity frame after three
attempts to start authentication, the client sends frames as if the port is in the authorized state. A port in
the authorized state effectively means that the client has been successfully authenticated. For more
information, see the “Ports in Authorized and Unauthorized States” section on page 13-9 .
When the client supplies its identity, the switch begins its role as the intermediary, passing EAP frames
between the client and the authentication server until authentication succeeds or fails. If the
authentication succeeds, the switch port becomes authorized. If the authentication fails, authentication
can be retried, the port might be assigned to a VLAN th at provides limited services, or network access
is not granted. For more information, see the “Ports in Authorized and Unauthorized States” section on
page 13-9.
The specific exchange of EAP frames depends on the authent ication method being used. Figure 13-3
shows a message exchange initiated by the client when the client uses the One-Time-Password (OTP)
authentication method with a RADIUS server.
Figure 13-3 Message Exchange
If 802.1x authentication times out while waiting for an EAPO L message exchange and MAC
authentication bypass is enabled, the switch can authorize the client when the switch detects an Ethernet
packet from the client. The switch uses the MAC address of the client as its identity and includes this
information in the RADIUS-access/request frame that is sent to the RADIUS server. After the server
sends the switch the RADIUS-access/accept frame (authorization is successful), the port becomes
authorized. If authorization fails and a guest VLAN is specified, the switch assigns the port to the guest
VLAN. If the switch detects an EAPOL packet while waiting for an Ethernet packet, the switch stops
the MAC authentication bypass process and stops 802.1x authentication.
101228
Client
Port Authorized
Port Un authorized
EAPOL-Start
EAP-Request/Identity
EAP-Response/Identity
EAP-Request/OTP
EAP-Response/OTP
EAP-Success
RADIUS Access-Request
RADIUS Access-Challenge
RADIUS Access-Request
RADIUS Access-Accept
EAPOL-Logoff
Authentication
server
(RADIUS)