10-5
Catalyst 3750 SwitchSoftware Configuration Guide
OL-8550-09
Chapter10 Configuring IEEE 802.1x Port-Based Authentication
Understanding IEEE 802.1x Port-Based Authentication
Figure 10-2 shows the authentication process.
Figure10-2 Authentication Flowchart
The switch re-authenticates a client when one of these situations occurs:
Periodic re-authentication is enabled, and the re-authentication timer expires.
You can configure the re-authentication timer to use a switch-specific value or to be based on values from the RADIUS server.After 802.1x authentication using a RADIUS server is configured, the switch uses timers based on the Session-Timeout RADIUS attribute (Attribute[27]) and the Termination-Action RADIUS attribute (Attribute [29]). The Session-Timeout RADIUS attribute (Attribute[27]) specifies the time after which re-authentication occurs.
141679
Yes
No
Client
identity is
invalid
All authentication
servers are down.
All authentication
servers are down.
Client
identity is
valid
The switch gets an
EAPOL message,
and the EAPOL
message
exchange begins.
Yes No
1
1
1
1 = This occurs if the switch does not detect EAPOL packets from the client.
Client MAC
address
identity
is invalid.
Client MAC
address
identity
is valid.
Is the client IEEE
802.1x capable?
Start IEEE 802.1x port-based
authentication.
Use inaccessible
authentication bypass
(critical authentication)
to assign the critical
port to a VLAN.
IEEE 802.1x authentication
process times out.
Is MAC authentication
bypass enabled?
Use MAC authentication
bypass.
Assign the port to
a guest VLAN.
Start
Done
Assign the port to
a VLAN.
Done
Done
Assign the port to
a VLAN.
Done
Assign the port to
a restricted VLAN.
Done