Configuring IEEE 802.1x Port-Based Authentication
Information About Configuring IEEE 802.1x Port-Based Authentication
For configuration information, see
configuration is similar MAC authentication bypass, as described in
802.1x Authentication with Guest VLAN
You can configure a guest VLAN for each 802.1x port on the switch to provide limited services to clients, such as
downloading the 802.1x client. These clients might be upgrading their system for 802.1x authentication, and some hosts,
such as Windows 98 systems, might not be 802.1x-capable.
When you enable a guest VLAN on an 802.1x port, the switch assigns clients to a guest VLAN when the switch does not
receive a response to its EAP request/identity frame or when EAPOL packets are not sent by the client. The port is
automatically set to multi-host mode.
The switch maintains the EAPOL packet history. If an EAPOL packet is detected on the interface during the lifetime of the
link, the switch determines that the device connected to that interface is an 802.1x-capable supplicant, and the interface
does not change to the guest VLAN state. EAPOL history is cleared if the interface link status goes down. If no EAPOL
packet is detected on the interface, the interface changes to the guest VLAN state.
If devices send EAPOL packets to the switch during the lifetime of the link, the switch no longer allows clients that fail
authentication access to the guest VLAN.
If the switch is trying to authorize an 802.1x-capable voice device and the AAA server is unavailable, the authorization
attempt fails, but the detection of the EAPOL packet is saved in the EAPOL history. When the AAA server becomes
available, the switch authorizes the voice device. However, the switch no longer allows other devices access to the guest
VLAN. To prevent this situation, use one of these command sequences:
Enter the authentication event no-response action authorize vlan vlan-id interface configuration command to
allow access to the guest VLAN.
Enter the shutdown interface configuration command followed by the no shutdown interface configuration
command to restart the port.
Note:
If an EAPOL packet is detected after the interface has changed to the guest VLAN, the interface reverts to an
unauthorized state, and 802.1x authentication restarts.
Any number of 802.1x-incapable clients are allowed access when the switch port is moved to the guest VLAN. If an
802.1x-capable client joins the same port on which the guest VLAN is configured, the port is put into the unauthorized
state in the user-configured access VLAN, and authentication is restarted.
Guest VLANs are supported on 802.1x ports in single host, multiple host, or multi-domain modes.
You can configure any active VLAN except an RSPAN VLAN, a private VLAN, or a voice VLAN as an 802.1x guest VLAN.
The guest VLAN feature is not supported on internal VLANs (routed ports) or trunk ports; it is supported only on access
ports.
The switch supports MAC authentication bypass. When MAC authentication bypass is enabled on an 802.1x port, the
switch can authorize clients based on the client MAC address when 802.1x authentication times out while waiting for
an EAPOL message exchange. After detecting a client on an 802.1x port, the switch waits for an Ethernet packet from
the client. The switch sends the authentication server a RADIUS-access/request frame with a username and password
based on the MAC address. If authorization succeeds, the switch grants the client access to the network. If authorization
fails, the switch assigns the port to the guest VLAN if one is specified. For more information, see
with MAC Authentication Bypass, page
For more information, see
Configuring Optional 802.1x Authentication Features, page
210.
Configuring a Guest VLAN, page
Configuring 802.1x User Distribution, page
226.
206
224. Additional
229.
802.1x Authentication