29-8
Software Configuration Guide—Release 12.2(25)SG
OL-7659-03
Chapter29 Understanding and Configuring 802.1X Port-Based Authentication
Understanding 802.1X Port-Based Authentication
EAP failure messages are not sent to the user. If the user failures authentication the port is moved
to an authentication-failed VLAN and a EAP success message is sent to the user. Because the user
is not notified of the authentication failure there may be confusion as to why there is restricted
access to the network. A EAP Success message is sent for the following reasons:
If the EAP Success message is not sent, the user tries to authenticate every 60 seconds (by
default) by sending an EAP-start message.
In some cases, users have configured DHCP to EAP-Success and unless the user sees a success,
DHCP will not work on the port.
Sometimes a user caches an incorrect username and password combination after receiving a EAP
success message from the authenticator and reuses that information in every re-authentication. Until
the user passes the correct username and password combination the port remains in the
authentication failed VLAN.
When an authentication failed port is moved to an unauthorized state the authentication process is
restarted. If you should fail the authentication process again the authenticator waits in the held state.
After you have correctly reauthenticated all 802.1x ports are reinitialized and treated as normal
802.1x ports.
When you reconfigure an authentication-failed VLAN to a different VLAN, any authentication
failed ports are also moved and the ports stay in their current authorized state.
When you shut down or remove an authentication-failed VLAN from the VLAN database, any
authentication failed ports are immediately moved to an unauthorized state and the authentication
process is restarted. The authenticator does not wait in a held state because the authentication-failed
VLAN configuration still exists. While the authentication-failed VLAN is inactive, all
authentication attempts are counted, and as soon as the VLA N becomes active the port is placed in
the authentication-failed VLAN.
If you reconfigure the maximum number of authentication failures allowed by the VLAN, the
change takes affect after the reauthentication timer expires.
All internal VLANs which are used for Layer 3 ports cannot be configured as an authentica tion
failed VLAN.
You cannot configure a VLAN to be both an authentication-failed VLAN and a voice VLAN. If you
do, a syslog message is generated.
The authentication-failed VLAN is supported only in single-host mode (the default port mode).
When a port is placed in an authentication-failed VLAN the user’s MAC address is added to the
mac-address-table. If a new MAC address appears on the port, it is treated as a security violation.
When an authentication failed port is moved to an authentication-failed VLAN, the Catalyst 4500
series switch does not transmit a RADIUS-Account Start Message like it does for regular 802.1X
authentication.
Using 802.1X with Port Security
You can enable port security on an 802.1X port in either single- or multiple-host mode. (To do so, you
must configure port security with the switchport port-security interface configuration command. Refer
to the “Configuring Port Security” chapter in this guide.) When you enable port security and 802.1X on
a port, 802.1X authenticates the port, and port security manages th e number of MAC addresses allowed
on that port, including that of the client. Hence an 802.1X p ort with port security enabled can be used to
limit the number or group of clients that can access the network.