Cisco Systems IE 2000 802.1x Authentication with Guest VLAN

13-20

Cisco IE 2000 Switch Software Configuration Guide

OL-25866-01

Chapter 13 Configuring IEEE 802.1x Port-Based Authentication

Information About Configuring IEEE 802.1x Port-Based Authentication

You can use VLAN ID-based MAC authentication if you want to authenticate hosts based on a static

VLAN ID instead of a downloadable VLAN. When you have a static VLAN policy configured on your

switch, VLAN information is sent to an IAS (Microsoft) RADIUS server along with the MAC address

of each host for authentication. The VLAN ID configured on the connected port is used for MAC

authentication. By using VLAN ID-based MAC authentication with an IAS server, you can have a fixed

number of VLANs in the network.

The feature also limits the number of VLANs monitored an d handled by STP. The network can be

managed as a fixed VLAN.

Note This feature is not supported on Cisco ACS Server. (The ACS server ignores the sent VLAN-IDs for new

hosts and only authenticates based on the MAC address.)

For configuration information, see the “Configuring Optional 802.1x Authentication Features” section

on page 13-40. Additional configuration is similar MAC authentication bypass, as described in the

“Configuring 802.1x User Distribution” section on page 13-46.

802.1x Authentication with Guest VLAN

You can configure a guest VLAN for each 802.1x port on the switch to provide limited services to

clients, such as downloading the 802.1x client. These clients might be upgrading their system f or 802.1x

authentication, and some hosts, such as Windows 98 systems, might not be 802.1x-capable.

When you enable a guest VLAN on an 802.1x port, the switch assigns clients to a guest VLAN when the

switch does not receive a response to its EAP request/identity frame or when EAPOL packets are not

sent by the client. The port is automatically set to multi-host mode.

The switch maintains the EAPOL packet history. If an EAPOL packet is detected on the interface during

the lifetime of the link, the switch determines that the device connected to that interface is

an 802.1x-capable supplicant, and the interface does not change to the guest VLAN state. EAPOL

history is cleared if the interface link status goes down. If no EAPOL packet is detected on the interface,

the interface changes to the guest VLAN state.

If devices send EAPOL packets to the switch during the lifetime of the link, the switch no longer allows

clients that fail authentication access to the guest VLAN.

If the switch is trying to authorize an 802.1x-capable voice device and the AAA server is unavailable,

the authorization attempt fails, but the detection of the EAPOL packet is saved in the EAPOL history.

When the AAA server becomes available, the switch authorizes the voice device. However, the switch

no longer allows other devices access to the guest VLAN. To prevent this situation, use one of these

command sequences:

• Enter the authentication event no-response action authorize vlan vlan-id interface configuration

command to allow access to the guest VLAN.

• Enter the shutdown interface configuration command followed by the no shutdown interface

configuration command to restart the port.

Note If an EAPOL packet is detected after the interface has changed to the guest VLAN, the interface reverts

to an unauthorized state, and 802.1x authentication restarts.