13-33
Cisco IE 2000 Switch Software Configuration Guide
OL-25866-01
Chapter 13 Configuring IEEE 802.1x Port-Based Authentication
Information About Configuring IEEE 802.1x Port-Based Authentication
VLAN Assignment, Guest VLAN, Restricted VLAN, and Inaccessible Authentication Bypass Guidelines
When 802.1x authentication is enabled on a port, you cannot configure a port VLAN that is equa l
to a voice VLAN.
The 802.1x authentication with VLAN assignment feature is not supported on trunk ports, dyn amic
ports, or with dynamic-access port assignment through a VMPS.
You can configure 802.1x authentication on a private-VLAN port, but do not configure 802.1x
authentication with port security, a voice VLAN, a guest VLAN, a restricted VLAN, or a per-user
ACL on private-VLAN ports.
You can configure any VLAN except an RSPAN VLAN, private VLAN, or a voice VLAN as
an 802.1x guest VLAN. The guest VLAN feature is not supported on internal VLANs (routed po rts)
or trunk ports; it is supported only on access ports.
After you configure a guest VLAN for an 802.1x port to which a DHCP client is connected, you
might need to get a host IP address from a DHCP server. You can change the settings for restarting
the 802.1x authentication process on the switch before the DHCP process on the client times out and
tries to get a host IP address from the DHCP server. Decrease the settings for the 802.1x
authentication process (authentication timer inactivity and authentication timer
reauthentication interface configuration commands). The amount to decrease the settings depends
on the connected 802.1x client type.
When configuring the inaccessible authentication bypass feature, follow these guidelines:
The feature is supported on 802.1x port in single-host mode and multihosts mode.
If the client is running Windows XP and the port to which the client is connected is in the
critical-authentication state, Windows XP might report that the interface is not authenticated.
If the Windows XP client is configured for DHCP and has an IP address from the DHCP server,
receiving an EAP-Success message on a critical port might not reinitiate the DHCP
configuration process.
You can configure the inaccessible authentication bypass feature and the restricted VLAN on
an 802.1x port. If the switch tries to reauthenticate a critical port in a restricted VLAN and all
the RADIUS servers are unavailable, switch changes the port state to the critical authentication
state and remains in the restricted VLAN.
You can configure any VLAN except an RSPAN VLAN or a voice VLAN as an 802.1x restricted
VLAN. The restricted VLAN feature is not supported on internal VLANs (routed ports) or trunk
ports; it is supported only on access ports.
MAC Authentication Bypass Guidelines
Unless otherwise stated, the MAC authentication bypass guidelines are the same as the 802.1x
authentication guidelines. For more information, see the “802.1x Authentication Guidelines”
section on page 13-32.
If you disable MAC authentication bypass from a port after the port has been authorized with its
MAC address, the port state is not affected.
If the port is in the unauthorized state and the client MAC address is not the authentication-server
database, the port remains in the unauthorized state. However, if the client MAC address is added to
the database, the switch can use MAC authentication bypass to reauthorize the port.