31-6
Software Configuration Guide—Release 12.2(25)EW
OL-6696-01
Chapter 31 Understanding and Configuring 802.1X Port-Based Authentication
Understanding 802.1X Port-Based Authentication
• Assign vendor-specific tunnel attributes in the RADIUS server. To ensure proper VLAN assignment,
the RADIUS server must return these attributes to the switch:
–
Tunnel-Type = VLAN
–
Tunnel-Medium-Type = 802
–
Tunnel-Private-Group-ID = VLAN NAME
Using 802.1X Authentication for Guest VLANs
You can use guest VLANs to enable non-802.1X capable hosts to access networks that use 802.1X
authentication. For example, you can use guest VLANs while you are upgrading your system to support
802.1X authentication.
Guest VLANs are supported on a per-port basis, and you can use any VLAN (except a private VLAN) as a
guest VLAN. If a port is already forwarding on the guest VLAN and you enable 802.1X support on the
network interface of the host, the port is immediately moved out of the guest VLAN and the authenticator
waits for authentication to occur.
Enabling 802.1X authentication on a port starts the 802.1X protocol. If the host fails to respond to the
packets from the authenticator within a certain amount of time, the authenticator puts the port in the
guest VLAN.
Usage Guidelines for Using 802.1X Authentication with Guest VLANs on Windows-XP Hosts
The usage guidelines for using 802.1X authentication with guest VLANs on Windows-XP hosts are as
follows:
• If the host fails to respond to the authenticator, the port attempts to connect three times (with a 30
second timeout between each attempt). After this time, the login/password window does not appear
on the host, so you must unplug and reconnect the network interface cable.
• Hosts responding with an incorrect login/password fail authentication. Hosts failing authentication
are not put in the guest VLAN. The first time that a host fails authentication, the quiet-period timer
starts, and no activity occurs for the duration of the quiet-period timer. When the quiet-period timer
expires, the host is presented with the login/password window. If the host fails authentication for the
second time, the quiet-period timer starts again, and no activity will occur for the duration of the
quiet-period timer. The host is presented with the login/password window a third time. If the host
fails authentication the third time, the port is placed in the unauthorized state, and you must
disconnect and reconnect the network interface cable.
Using 802.1X with Port Security
You can enable port security on an 802.1X port in either single- or multiple-host mode. (To do so, you
must configure port security with the switchport port-security interface configuration command. Refer
to the “Configuring Port Security” chapter in this guide.) When you enable port security and 802.1X on
a port, 802.1X authenticates the port, and port security manages the number of MAC addresses allowed
on that port, including that of the client. Hence an 802.1X port with port security enabled can be used to
limit the number or group of clients that can access the network.
To Next Page
Loading...
Need help?
General
