192
Configuring IEEE 802.1x Port-Based Authentication
Information About Configuring IEEE 802.1x Port-Based Authentication
Switch-to-RADIUS-Server Communication
RADIUS security servers are identified by their hostname or IP address, hostname and specific UDP port numbers, or IP
address and specific UDP port numbers. The combination of the IP address and the UDP port number creates a unique
identifier, which enables RADIUS requests to be sent to multiple UDP ports on a server at the same IP address. If two
different host entries on the same RADIUS server are configured for the same service—for example, authentication—the
second host entry configured acts as the failover backup to the first one. The RADIUS host entries are tried in the order
in which they were configured.
Authentication Initiation and Message Exchange
During 802.1x authentication, the switch or the client can initiate authentication. If you enable authentication on a port by
using the authentication port-control auto interface configuration command, the switch initiates authentication when
the link state changes from down to up or periodically as long as the port remains up and unauthenticated. The switch
sends an EAP-request/identity frame to the client to request its identity. Upon receipt of the frame, the client responds
with an EAP-response/identity frame.
However, if during boot up, the client does not receive an EAP-request/identity frame from the switch, the client can
initiate authentication by sending an EAPOL-start frame, which prompts the switch to request the client’s identity.
Note: If 802.1x authentication is not enabled or supported on the network access device, any EAPOL frames from the
client are dropped. If the client does not receive an EAP-request/identity frame after three attempts to start
authentication, the client sends frames as if the port is in the authorized state. A port in the authorized state effectively
means that the client has been successfully authenticated. For more information, see Ports in Authorized and
Unauthorized States, page 195.
When the client supplies its identity, the switch begins its role as the intermediary, passing EAP frames between the client
and the authentication server until authentication succeeds or fails. If the authentication succeeds, the switch port
becomes authorized. If the authentication fails, authentication can be retried, the port might be assigned to a VLAN that
provides limited services, or network access is not granted. For more information, see Ports in Authorized and
Unauthorized States, page 195.
The specific exchange of EAP frames depends on the authentication method being used. Figure 20 on page 193 shows
a message exchange initiated by the client when the client uses the One-Time-Password (OTP) authentication method
with a RADIUS server.
To Next Page
Loading...
Need help?
General