For complete syntax and usage information for the commands used in this chapter, see the “RADIUS
Commands” section in the Cisco IOS Security Command Reference, Release 12.4 and the command
reference for this release.
Note
Port-Based Authentication Process
When 802.1x port-based authentication is enabled and the client supports 802.1x-compliant client software,
these events occur:
•
If the client identity is valid and the 802.1x authentication succeeds, the switch grants the client access
to the network.
•
If 802.1x authentication times out while waiting for an EAPOL message exchange and MAC
authentication bypass is enabled, the switch can use the client MAC address for authorization. If the
client MAC address is valid and the authorization succeeds, the switch grants the client access to the
network. If the client MAC address is invalid and the authorization fails, the switch assigns the client
to a guest VLAN that provides limited services if a guest VLAN is configured.
•
If the switch gets an invalid identity from an 802.1x-capable client and a restricted VLAN is specified,
the switch can assign the client to a restricted VLAN that provides limited services.
•
If the RADIUS authentication server is unavailable (down) and inaccessible authentication bypass is
enabled, the switch grants the client access to the network by putting the port in the critical-authentication
state in the RADIUS-configured or the user-specified access VLAN.
Inaccessible authentication bypass is also referred to as critical authentication or the
AAA fail policy.
Note
If Multi Domain Authentication (MDA) is enabled on a port, this flow can be used with some exceptions that
are applicable to voice authorization.
Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1
214 OL-29434-01
Configuring IEEE 802.1x Port-Based Authentication
Port-Based Authentication Process
To Next Page
Loading...
Need help?
General