This feature only works if the supplicant on the client supports a query with the NOTIFY EAP notification
packet. The client must respond within the 802.1x timeout value.
Related Topics
Configuring 802.1x Readiness Check, on page 300
Switch-to-RADIUS-Server Communication
RADIUS security servers are identified by their hostname or IP address, hostname and specific UDP port
numbers, or IP address and specific UDP port numbers. The combination of the IP address and UDP port
number creates a unique identifier, which enables RADIUS requests to be sent to multiple UDP ports on a
server at the same IP address. If two different host entries on the same RADIUS server are configured for the
same service—for example, authentication—the second host entry configured acts as the fail-over backup to
the first one. The RADIUS host entries are tried in the order that they were configured.
Related Topics
Configuring the Switch-to-RADIUS-Server Communication, on page 309
802.1x Authentication with VLAN Assignment
The switch supports 802.1x authentication with VLAN assignment. After successful 802.1x authentication
of a port, the RADIUS server sends the VLAN assignment to configure the switch port. The RADIUS server
database maintains the username-to-VLAN mappings, assigning the VLAN based on the username of the
client connected to the switch port. You can use this feature to limit network access for certain users.
Voice device authentication is supported with multidomain host mode in Cisco IOS Release 12.2(37)SE. In
Cisco IOS Release 12.2(40)SE and later, when a voice device is authorized and the RADIUS server returned
an authorized VLAN, the voice VLAN on the port is configured to send and receive packets on the assigned
voice VLAN. Voice VLAN assignment behaves the same as data VLAN assignment on multidomain
authentication (MDA)-enabled ports.
When configured on the switch and the RADIUS server, 802.1x authentication with VLAN assignment has
these characteristics:
•
If no VLAN is supplied by the RADIUS server or if 802.1x authentication is disabled, the port is
configured in its access VLAN after successful authentication. Recall that an access VLAN is a VLAN
assigned to an access port. All packets sent from or received on this port belong to this VLAN.
•
If 802.1x authentication is enabled but the VLAN information from the RADIUS server is not valid,
authorization fails and configured VLAN remains in use. This prevents ports from appearing unexpectedly
in an inappropriate VLAN because of a configuration error.
Configuration errors could include specifying a VLAN for a routed port, a malformed VLAN ID, a
nonexistent or internal (routed port) VLAN ID, an RSPAN VLAN, a shut down or suspended VLAN.
In the case of a multidomain host port, configuration errors can also be due to an attempted assignment
of a data VLAN that matches the configured or assigned voice VLAN ID (or the reverse).
•
If 802.1x authentication is enabled and all information from the RADIUS server is valid, the authorized
device is placed in the specified VLAN after authentication.
•
If the multiple-hosts mode is enabled on an 802.1x port, all hosts are placed in the same VLAN (specified
by the RADIUS server) as the first authenticated host.
Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX
278 OL-29048-01
Configuring IEEE 802.1x Port-Based Authentication
Switch-to-RADIUS-Server Communication
To Next Page
Loading...
Need help?
General
Weight and Dimensions
