Cisco Systems WSC4500X16SFP Using 802.1X with Authentication Failed VLAN Assignment

29-7

Software Configuration Guide—Release 12.2(25)SG

OL-7659-03

Chapter29 Understanding and Conf iguring 802.1X Port-Based Authentication

Understanding 802.1X Port-Based Authentication

The usage guidelines for using 802.1X authentication with guest VLANs on Windows-XP hosts are as

follows:

•If the host fails to respond to the authenticator, the port attempts to connect three times (with a 30

second timeout between each attempt). After this time, the login/password window does not appear

on the host, so you must unplug and reconnect the network interface cable.

•Hosts responding with an incorrect login/password fail authentication. Hosts failing authentication

are not put in the guest VLAN. The first time that a host fails authentication, the quiet-period timer

starts, and no activity occurs for the duration of the quiet-period timer. When the quiet-period timer

expires, the host is presented with the login/password window. If the host fails authentication for the

second time, the quiet-period timer starts again, and no activity will occur for the duration of the

quiet-period timer. The host is presented with the login/password window a th ird time. If the host

fails authentication the third time, the port is placed in the unauthorized state, and you must

disconnect and reconnect the network interface cable.

Using 802.1X with Authentication Failed VLAN Assignment

You can use authentication failed VLAN assignment on a per-port basis to provide access for

authentication failed users. Authentication failed users are end hosts which are 802.1X capable but do

not have valid credentials in an authentication server or end hosts that do not give any username and

password combination in the authentication pop-up window on the user side.

If a user fails the authentication process, that port is placed in the authentication-failed VLAN. The port

remains in the authentication-failed VLAN until the reauthentication timer expires. When the

reauthentication timer expires the switch starts sending the port re-authentication requests. If the port

fails reauthentication it remains in the authentication-failed VLAN. If the port is successfully

reauthenticated, the port is moved either to the VLAN sent by RADIUS server or to the newly

authenticated ports configured VLAN; the location depends on whether RADIUS is configured to send

VLAN information.

You can set the maximum number of authentication attempts that the authenticator sends before moving

a port into the authentication-failed VLAN. The authenticator keeps a count of the failed authentication

attempts for each port. A failed authentication at tempt is either an empty response or an EAP failure.

The authenticator tracks any mix of failed authentication attempts towards the authentication attempt

count. After the maximum number of attempts is reached the port is placed in the authentication-failed

VLAN until the reauthentication timer expires again.

Note RADIUS may send a response without an EAP packet in it when i t does not support EAP, and sometimes

third party RADIUS servers also send empty responses. When this happens, the authentication attempt

counter is incremented.

•You should enable reauthentication. The ports in authentication-failed VLANs do not receive

reauthentication attempts if reauthentication is disabled. In order to start the reauthentication

process the authentication-failed VLAN must receive a link down event or an EAP logoff event from

the port. If the host is behind a hub, you may never get a link down event and may not detect the new

host until the next reauthentication occurs. Therefore, it is recommended to have re-authentication

enabled in that case.