X Authentication With Vlan Assignment - Cisco Catalyst 3560-X Software Configuration Manual

Understanding IEEE 802.1x Port-Based Authentication
This feature only works if the supplicant on the client supports a query with the NOTIFY EAP
notification packet. The client must respond within the 802.1x timeout value.
For information on configuring the switch for the 802.1x readiness check, see the
Readiness Check" section on page

802.1x Authentication with VLAN Assignment

The switch supports 802.1x authentication with VLAN assignment. After successful 802.1x
authentication of a port, the RADIUS server sends the VLAN assignment to configure the switch port.
The RADIUS server database maintains the username-to-VLAN mappings, assigning the VLAN based
on the username of the client connected to the switch port. You can use this feature to limit network
access for certain users.
Voice device authentication is supported with multidomain host mode. When a voice device is authorized
and the RADIUS server returned an authorized VLAN, the voice VLAN on the port is configured to send
and receive packets on the assigned voice VLAN. Voice VLAN assignment behaves the same as data
VLAN assignment on multidomain authentication (MDA)-enabled ports. For more information, see the
"Multidomain Authentication" section on page
When configured on the switch and the RADIUS server, 802.1x authentication with VLAN assignment
has these characteristics:
•
•
•
•
•
•
When the port is in the force authorized, force unauthorized, unauthorized, or shutdown state, it is put
into the configured access VLAN.
If an 802.1x port is authenticated and put in the RADIUS server-assigned VLAN, any change to the port
access VLAN configuration does not take effect. In the case of a multidomain host, the same applies to
voice devices when the port is fully authorized with these exceptions:
•
Catalyst 3750-X and 3560-X Switch Software Configuration Guide
1-16
If no VLAN is supplied by the RADIUS server or if 802.1x authentication is disabled, the port is
configured in its access VLAN after successful authentication. Recall that an access VLAN is a
VLAN assigned to an access port. All packets sent from or received on this port belong to this
VLAN.
If 802.1x authentication is enabled but the VLAN information from the RADIUS server is not valid,
authorization fails and configured VLAN remains in use. This prevents ports from appearing
unexpectedly in an inappropriate VLAN because of a configuration error.
Configuration errors could include specifying a VLAN for a routed port, a malformed VLAN ID, a
nonexistent or internal (routed port) VLAN ID, an RSPAN VLAN, a shut down or suspended VLAN. In
the case of a mutlidomain host port, configuration errors can also be due to an attempted assignment of
a data VLAN that matches the configured or assigned voice VLAN ID (or the reverse).
If 802.1x authentication is enabled and all information from the RADIUS server is valid, the
authorized device is placed in the specified VLAN after authentication.
If the multiple-hosts mode is enabled on an 802.1x port, all hosts are placed in the same VLAN
(specified by the RADIUS server) as the first authenticated host.
Enabling port security does not impact the RADIUS server-assigned VLAN behavior.
If 802.1x authentication is disabled on the port, it is returned to the configured access VLAN and
configured voice VLAN.
If the VLAN configuration change of one device results in matching the other device configured or
assigned VLAN, authorization of all devices on the port is terminated and multidomain host mode
is disabled until a valid configuration is restored where data and voice device configured VLANs no
longer match.
Chapter 1
1-41.
1-31.
Configuring IEEE 802.1x Port-Based Authentication
"Configuring 802.1x
OL-25303-03