29-7
Software Configuration Guide—Release 12.2(25)SG
OL-7659-03
Chapter29 Understanding and Conf iguring 802.1X Port-Based Authentication
Understanding 802.1X Port-Based Authentication

Usage Guidelines for Using 802.1X Authentication with Guest VLANs on Windows-XP Hosts

The usage guidelines for using 802.1X authentication with guest VLANs on Windows-XP hosts are as
follows:
If the host fails to respond to the authenticator, the port attempts to connect three times (with a 30
second timeout between each attempt). After this time, the login/password window does not appear
on the host, so you must unplug and reconnect the network interface cable.
Hosts responding with an incorrect login/password fail authentication. Hosts failing authentication
are not put in the guest VLAN. The first time that a host fails authentication, the quiet-period timer
starts, and no activity occurs for the duration of the quiet-period timer. When the quiet-period timer
expires, the host is presented with the login/password window. If the host fails authentication for the
second time, the quiet-period timer starts again, and no activity will occur for the duration of the
quiet-period timer. The host is presented with the login/password window a th ird time. If the host
fails authentication the third time, the port is placed in the unauthorized state, and you must
disconnect and reconnect the network interface cable.
Using 802.1X with Authentication Failed VLAN Assignment
You can use authentication failed VLAN assignment on a per-port basis to provide access for
authentication failed users. Authentication failed users are end hosts which are 802.1X capable but do
not have valid credentials in an authentication server or end hosts that do not give any username and
password combination in the authentication pop-up window on the user side.
If a user fails the authentication process, that port is placed in the authentication-failed VLAN. The port
remains in the authentication-failed VLAN until the reauthentication timer expires. When the
reauthentication timer expires the switch starts sending the port re-authentication requests. If the port
fails reauthentication it remains in the authentication-failed VLAN. If the port is successfully
reauthenticated, the port is moved either to the VLAN sent by RADIUS server or to the newly
authenticated ports configured VLAN; the location depends on whether RADIUS is configured to send
VLAN information.
You can set the maximum number of authentication attempts that the authenticator sends before moving
a port into the authentication-failed VLAN. The authenticator keeps a count of the failed authentication
attempts for each port. A failed authentication at tempt is either an empty response or an EAP failure.
The authenticator tracks any mix of failed authentication attempts towards the authentication attempt
count. After the maximum number of attempts is reached the port is placed in the authentication-failed
VLAN until the reauthentication timer expires again.
Note RADIUS may send a response without an EAP packet in it when i t does not support EAP, and sometimes
third party RADIUS servers also send empty responses. When this happens, the authentication attempt
counter is incremented.

Usage Guidelines for Using Authentication Failed VLAN Assignment

You should enable reauthentication. The ports in authentication-failed VLANs do not receive
reauthentication attempts if reauthentication is disabled. In order to start the reauthentication
process the authentication-failed VLAN must receive a link down event or an EAP logoff event from
the port. If the host is behind a hub, you may never get a link down event and may not detect the new
host until the next reauthentication occurs. Therefore, it is recommended to have re-authentication
enabled in that case.