13-21
Cisco IE 2000 Switch Software Configuration Guide
OL-25866-01
Chapter 13 Configuring IEEE 802.1x Port-Based Authentication
Information About Configuring IEEE 802.1x Port-Based Authentication
Any number of 802.1x-incapable clients are allowed access when the switch port is moved to the guest
VLAN. If an 802.1x-capable client joins the same port on which the guest VLAN is configured, the port
is put into the unauthorized state in the user-configured access VLAN, and authentication is restarted.
Guest VLANs are supported on 802.1x ports in single host, multiple host, or multi-domain modes.
You can configure any active VLAN except an RSPAN VLAN, a private VLAN, or a voice VLAN as an
802.1x guest VLAN. The guest VLAN feature is not supported on internal VLANs (routed ports) or
trunk ports; it is supported only on access ports.
The switch supports MAC authentication bypass. When MAC authentication bypass is enabled on an
802.1x port, the switch can authorize clients based on the client MAC address when 802.1x
authentication times out while waiting for an EAPOL message exchange. After detecting a client on an
802.1x port, the switch waits for an Ethernet packet from the client. The switch sends the authentication
server a RADIUS-access/request frame with a username and password based on the MAC address. If
authorization succeeds, the switch grants the client access to the network. If authorization fails, the
switch assigns the port to the guest VLAN if one is specified. For more information, see the “802.1x
Authentication with MAC Authentication Bypass” section on page 13-25.
For more information, see the “Configuring a Guest VLAN” section on page 13-42.
802.1x Authentication with Restricted VLAN
You can configure a restricted VLAN (also referred to as an authentication failed VLAN) for each 802.1x
port on a switch to provide limited services to clients that cannot access the guest VLAN. These clients
are 802.1x-compliant and cannot access another VLAN becaus e they fail the authentication process. A
restricted VLAN allows users without valid credentials in an authentication server (typically, visitors to
an enterprise) to access a limited set of services. The administrator can control the services available to
the restricted VLAN.
Note You can configure a VLAN to be both the guest VLAN and the restricted VLAN if you want to provide
the same services to both types of users.
Without this feature, the client attempts and fails authentication indefinitely, and the switch port remains
in the spanning-tree blocking state. With this feature, you can configure the switch port to be in the
restricted VLAN after a specified number of authentication attempts (the default value is 3 attempts).
The authenticator counts the failed authentication attempts for the client. When this count exceeds the
configured maximum number of authentication attempts, the port moves to the restricted VLA N. The
failed attempt count increments when the RADIUS server replies with either an EAP failure or an empty
response without an EAP packet. When the port moves into the restricted VLAN, the failed attempt
counter resets.
Users who fail authentication remain in the restricted VLAN until the next reauthentication attempt. A
port in the restricted VLAN tries to reauthenticate at configured intervals (the default is 60 seconds). If
reauthentication fails, the port remains in the restricted VLAN. If reauthentication is successful, the port
moves either to the configured VLAN or to a VLAN sent by the RADIUS server. You can disable
reauthentication. If you do this, the only way to restart the authentication process is for the port to receive
a link down or EAP logoff event. We recommend that you keep reauthentication enabled if a client might
connect through a hub. When a client disconnects from the hub, the port might not receive the link down
or EAP logoff event.
After a port moves to the restricted VLAN, a simulated EAP success message is sent to the client. This
prevents clients from indefinitely attempting authentication. Some clients (for example, devices runn ing
Windows XP) cannot implement DHCP without EAP success.