29-5
Software Configuration Guide—Release 12.2(25)SG
OL-7659-03
Chapter29 Understanding and Conf iguring 802.1X Port-Based Authentication
Understanding 802.1X Port-Based Authentication
auto—Enables 802.1X authentication and causes the port to begin in the unauthorized state,
allowing only EAPOL frames to be sent and received through the port. The authentication process
begins when the link state of the port transitions from down to up or when an EAPOL-start frame is
received. The switch requests the identity of the client and begins relaying authentication messages
between the client and the authentication server. The switch can uniquely identify each client
attempting to access the network by the client’s MAC address.
If the client is successfully authenticated (receives an Accept frame from the authentication server), the
port state changes to authorized, and all frames from the authenticated client are allowed through the
port. If authentication fails, the port remains in the unauthorized state, but authentication can be retried.
If the authentication server cannot be reached, the switch can retransmit the request. If no response is
received from the server after the specified number of attempts, authentication fails and network access
is not granted.
If the link state of a port transitions from up to down, or if an EAPOL-logoff frame is received by the
port, the port returns to the unauthorized state.
Using 802.1X with VLAN Assignment
You can use the VLAN assignment to limit network access for certain users. With the VLAN assignment,
802.1X-authenticated ports are assigned to a VLAN b ased on the username of the client connected to
that port. The RADIUS server database maintains the username-to-VLAN mappings. After successful
802.1X authentication of the port, the RADIUS server sends the VLAN assignment to the switch. The
VLAN can be a “standard” VLAN or a private VLAN.
On platforms that support Private VLANs, you can isolate hosts by assigning ports into PVLANs.
When configured on the switch and the RADIUS server, 802.1X with VLAN assignment has these
characteristics:
If no VLAN is supplied by the RADIUS server, the port is configured in its access VLAN when
authentication succeeds.
If the authentication server provides invalid VLAN information, the port remains unauthorized. This
situation prevents ports from appearing unexpectedly in an inappropriate VLAN due to a
configuration error.
Configuration errors might occur if you specify a VLAN for a routed port, a malformed VLA N ID,
or a nonexistent or internal (routed port) VLAN ID. Similarly, an error might occu r if you make an
assignment to a voice VLAN ID.
If the authentication server provides valid VLAN information, the port is authorized and placed in
the specified VLAN when authentication succeeds.
If the multiple-hosts mode is enabled, all hosts are in the same VLAN as the first authenticated user.
If 802.1X is disabled on the port, the port is returned to the configured access VLAN.
A port must be configured as an access port (which can be assigned only into “regular” VLANs), or
as a private-VLAN host port (which can be assigned only into PVLAN s). Configuring a port as a
private-VLAN host port implies that all hosts on the port will be assigned into PVLANs, whether
their posture is compliant or non-compliant. If the type of the VLAN named in the Access-Accept
does not match the type of VLAN expected to be assigned to the port (regular VLAN to acce ss port,
secondary private VLAN to private VLAN host port), the VLAN assignment fails.