1-23
Catalyst 3750-X and 3560-X Switch Software Configuration Guide
OL-25303-03
Chapter 1 Configuring IEEE 802.1x Port-Based Authentication
Understanding IEEE 802.1x Port-Based Authentication
For more information, see the “Configuring a Restricted VLAN” section on page 1-62.
802.1x Authentication with Inaccessible Authentication Bypass
Use the inaccessible authentication bypass feature, also referred to as critical authentication or the AAA
fail policy, when the switch cannot reach the configured RADIUS servers and new hosts cannot be
authenticated. You can configure the switch to connect those hosts to critical ports.
When a new host tries to connect to the critical port, that host is moved to a user-specified access VLAN,
the critical VLAN. The administrator gives limited authentication to the hosts.
When the switch tries to authenticate a host connected to a critical port, the switch checks the status of
the configured RADIUS server. If a server is available, the switch can authenticate the host. However, if
all the RADIUS servers are unavailable, the switch grants network access to the host and puts the port
in the critical-authentication state, which is a special case of the authentication state.
Support on Multiple-Authentication Ports
When a port is configured on any host mode and the AAA server is unavailable, the port is then
configured to multi-host mode and moved to the critical VLAN. To support this inaccessible bypass on
multiple-authentication (multiauth) ports, use the authentication event server dead action reinitialize
vlan vlan-id command. When a new host tries to connect to the critical port, that port is reinitialized and
all the connected hosts are moved to the user-specified access VLAN.
This command is supported on all host modes.
Authentication Results
The behavior of the inaccessible authentication bypass feature depends on the authorization state of the
port:
• If the port is unauthorized when a host connected to a critical port tries to authenticate and all servers
are unavailable, the switch puts the port in the critical-authentication state in the
RADIUS-configured or user-specified access VLAN.
• If the port is already authorized and reauthentication occurs, the switch puts the critical port in the
critical-authentication state in the current VLAN, which might be the one previously assigned by
the RADIUS server.
• If the RADIUS server becomes unavailable during an authentication exchange, the current exchange
times out, and the switch puts the critical port in the critical-authentication state during the next
authentication attempt.
You can configure the critical port to reinitialize hosts and move them out of the critical VLAN when
the RADIUS server is again available. When this is configured, all critical ports in the
critical-authentication state are automatically re-authenticated. For more information, see the command
reference for this release and the “Configuring Inaccessible Authentication Bypass and Critical Voice
VLAN” section on page 1-63.
To Next Page
Loading...
Need help?
General
