9-10
Catalyst 2960 Switch SoftwareConfiguration Guide
78-16881-01
Chapter9 Configuring IEEE 802.1x Port-Based Authentication
Configuring IEEE 802.1x Authentication
Using IEEE 802.1x with Guest VLAN
You can configure a guest VLAN for each IEEE 802.1x port on the switch to provide limited services to
clients, such as downloading the IEEE 802.1x client. These clients migh t be upgrading their system for
IEEE 802.1x authentication, and some hosts, such as Windows 98 systems, mig ht not be IEEE
802.1x-capable.
When you enable a guest VLAN on an IEEE 802.1x port, the switch assigns clients to a guest VLAN
when the switch does not receive a response to its EAP request/identity frame or when EAPOL packets
are not sent by the client.
The switch maintains the EAPOL packet history. If an EAPOL packet is detected on the interface during
the lifetime of the link, the switch determines that the device connected to that interface is an IEEE
802.1x-capable supplicant, and the interface does not change to the guest V LAN state. EAPOL history
is cleared if the interface link status goes down. If no EAPOL packet is detected on the interface, it
changes to the guest VLAN state.
Note If an EAPOL packet is detected after the interface has changed to the guest VLAN, the interface reverts
to an unauthorized state, and IEEE 802.1x authenticati on restarts.
Any number of IEEE 802.1x-incapable clients are allowed access when the switch port is moved to the
guest VLAN. If an IEEE 802.1x-capable client joins the same port on which the guest VLAN is
configured, the port is put into the unauthorized state in the user-configured access VLAN, and
authentication is restarted.
Guest VLANs are supported on IEEE 802.1x ports in single-host or multiple-hosts mode.
You can configure any active VLAN except an RSPAN VLAN or a voice VLAN as an IEEE 802.1x guest
VLAN. The guest VLAN feature is not supported on trunk ports; it is supported only on access ports.
For more information, see the “Configuring a Guest VLAN” section on page 9-19.
Configuring IEEE 802.1x Authentication
These sections contain this configuration information:
Default IEEE 802.1x Configuration, page 9-11
IEEE 802.1x Configuration Guidelines, page 9-12
Configuring IEEE 802.1x Authentication, page 9-12 (required)
Configuring the Switch-to-RADIUS-Server Communication, page 9-14 (required)
Configuring Periodic Re-Authentication, page 9-15 (optional)
Manually Re-Authenticating a Client Connected to a Port, page 9-15 (optional)
Changing the Quiet Period, page 9-16 (optional)
Changing the Switch-to-Client Retransmission Time, page 9-16 (optional)
Setting the Switch-to-Client Frame-Retransmission Number, page 9-17 (optional)
Setting the Re-Authentication Number, page 9-17 (optional)
Configuring the Host Mode, page 9-18 (optional)
Configuring a Guest VLAN, page 9-19 (optional)