Authentication Manager - Cisco Catalyst 3560-X Software Configuration Manual

Hide thumbs Also See for Catalyst 3560-X:

Table of Contents

Configuring IEEE 802.1x Port-Based Authentication

If 802.1x authentication times out while waiting for an EAPOL message exchange and MAC

authentication bypass is enabled, the switch can authorize the client when the switch detects an Ethernet

packet from the client. The switch uses the MAC address of the client as its identity and includes this

information in the RADIUS-access/request frame that is sent to the RADIUS server. After the server

sends the switch the RADIUS-access/accept frame (authorization is successful), the port becomes

authorized. If authorization fails and a guest VLAN is specified, the switch assigns the port to the guest

VLAN. If the switch detects an EAPOL packet while waiting for an Ethernet packet, the switch stops

the MAC authentication bypass process and stops 802.1x authentication.

Authentication Manager

In Cisco IOS Release 12.2(46)SE and earlier, you could not use the same authorization methods, including

CLI commands and messages, on this switch and also on other network devices, such as a Catalyst 6000.

You had to use separate authentication configurations. Cisco IOS Release 12.2(50)SE and later supports

the same authorization methods on all Catalyst switches in a network.

Cisco IOS Release 12.2(55)SE supports filtering verbose system messages from the authentication

manager. For details, see the

shows the message exchange during MAC authentication bypass.

Message Exchange During MAC Authentication Bypass

EAPOL Request/Identity

Ethernet packet

"Authentication Manager CLI Commands" section on page

Port-Based Authentication Methods, page 1-8

Per-User ACLs and Filter-Ids, page 1-8

Authentication Manager CLI Commands, page 1-9

Understanding IEEE 802.1x Port-Based Authentication

RADIUS Access/Request

RADIUS Access/Accept

Catalyst 3750-X and 3560-X Switch Software Configuration Guide

Authentication

Catalyst 3750-x