10-19
Catalyst 3750 Switch Software Configuration Guide
OL-8550-02
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication
Understanding IEEE 802.1x Port-Based Authentication
Clients that were authorized with MAC authentication bypass can be re-authenticated. The
re-authentication process is the same as that for clients that were authenticated with IEEE 802.1x.
During re-authentication, the port remains in the previously assigned VLAN. If re-authentication is
successful, the switch keeps the port in the same VLAN. If re-authentication fails, the switch assigns the
port to the guest VLAN, if one is configured.
If re-authentication is based on the Session-Timeout RADIUS attribute (Attribute[27]) and the
Termination-Action RADIUS attribute (Attribute [29]) and if the Termination-Action RADIUS attribute
(Attribute [29]) action is Initialize, (the attribute value is DEFAULT), the MAC authentication bypass
session ends, and connectivity is lost during re-authentication. If MAC authentication bypass is enabled
and the IEEE 802.1x authentication times out, the switch uses the MAC authentication bypass feature to
initiate re-authorization. For more information about these AV pairs, see RFC 3580, “IEEE 802.1X
Remote Authentication Dial In User Service (RADIUS) Usage Guidelines.”
MAC authentication bypass interacts with the features:
• IEEE 802.1x authentication—You can enable MAC authentication bypass only if IEEE 802.1x
authentication is enabled on the port.
• Guest VLAN—If a client has an invalid MAC address identity, the switch assigns the client to a
guest VLAN if one is configured.
• Restricted VLAN—This feature is not supported when the client connected to an IEEE 802.lx port
is authenticated with MAC authentication bypass.
• Port security—See the “Using IEEE 802.1x Authentication with Port Security” section on
page 10-17.
• Voice VLAN—See the “Using IEEE 802.1x Authentication with Voice VLAN Ports” section on
page 10-16.
• VLAN Membership Policy Server (VMPS)—IEEE802.1x and VMPS are mutually exclusive.
• Private VLAN—You can assign a client to a private VLAN.
• Network admission control (NAC) Layer 2 IP validation—This feature takes effect after an
IEEE 802.1x port is authenticated with MAC authentication bypass, including hosts in the exception
list.
Using Network Admission Control Layer 2 IEEE 802.1x Validation
In Cisco IOS Release 12.2(25)SED and later, the switch supports the Network Admission Control (NAC)
Layer 2 IEEE 802.1x validation, which checks the antivirus condition or posture of endpoint systems or
clients before granting the devices network access. With NAC Layer 2 IEEE 802.1x validation, you can
do these tasks:
• Download the Session-Timeout RADIUS attribute (Attribute[27]) and the Termination-Action
RADIUS attribute (Attribute[29]) from the authentication server.
• Set the number of seconds between re-authentication attempts as the value of the Session-Timeout
RADIUS attribute (Attribute[27]) and get an access policy against the client from the RADIUS
server.
• Set the action to be taken when the switch tries to re-authenticate the client by using the
Termination-Action RADIUS attribute (Attribute[29]). If the value is the DEFAULT or is not set, the
session ends. If the value is RADIUS-Request, the re-authentication process starts.
• View the NAC posture token, which shows the posture of the client, by using the show dot1x
privileged EXEC command.
To Next Page
Loading...
Need help?
General
