Cisco Systems OL-8550-09 802.1x Authentication with Guest VLAN

10-23

Catalyst 3750 SwitchSoftware Configuration Guide

OL-8550-09

Chapter10 Configuring IEEE 802.1x Port-Based Authentication

Understanding IEEE 802.1x Port-Based Authentication

You can set the CiscoSecure-Defined-ACL Attribute-Value pair on the Cisco Secure ACS with the

RADIUS cisco-av-pair vendor-specific attributes (VSAs). This pair specifies the names of the

downloadable ACLs on the Cisco Secure ACS with the #ACL#-IP-name-number attribute.

•The name is the ACL name.

•The number is the version number (for example, 3f783768).

If a downloadable ACL is configured for a client on the authentication server, a default port ACL on the

connected client switch port must also be configured.

If the default ACL is configured on the switch and the Cisco Secure ACS sends a host-access-policy to

the switch, it applies the policy to traffic from the host connected to a switch port. If the policy does not

apply, the switch applies the default ACL. If the Cisco Secure ACS sends the switch a downloadable

ACL, this ACL takes precedence over the default ACL that is configured on the switch port. However,

if the switch receives an host access policy from the Cisco Secure ACS but the default ACL is not

configured, the authorization failure is declared.

For configuration details, see the “Authentication Manager” section on page10-8 and the “Configuring

802.1x Authentication with Downloadable ACLs and Redirect URLs” section on page10-64.

You can use VLAN ID-based MAC authentication if you wish to authenticate hosts based on a static

VLAN ID instead of a downloadable VLAN. When you have a static VLAN policy configured on your

switch, VLAN information is sent to an IAS (Microsoft) RADIUS server along with the MAC address

of each host for authentication. The VLAN ID configured on the connected port is used for MAC

authentication. By using VLAN ID-based MAC authentication with an IAS server, you can have a fixed

number of VLANs in the network.

The feature also limits the number of VLANs monitored and handled by STP.The network can be

managed as a fixed VLAN.

Note This feature is not supported on Cisco ACS Server. (The ACS server ignores the sent VLAN-IDs for new

hosts and only authenticates based on the MAC address.)

For configuration information, see the “Configuring VLAN ID-based MAC Authentication” section on

page 10-67. Additional configuration is similar MAC authentication bypass, as described in the

“Configuring MAC Authentication Bypass” section on page10-60.

802.1x Authentication with Guest VLAN

You can configure a guest VLAN for each 802.1x port on the switch to provide limited services to

clients, such as downloading the 802.1x client. These clients might be upgrading their system for 802.1x

authentication, and some hosts, such as Windows 98 systems, might not be 802.1x-capable.

When you enable a guest VLAN on an 802.1x port, the switch assigns clients to a guest VLAN when the

switch does not receive a response to its EAP request/identity frame or when EAPOL packets are not

sent by the client.