Configuring 802.1X With Authentication Failed - Cisco Catalyst 4500 Series Software Configuration Manual
Cisco ios xe release 3.9.xe and cisco ios release 15.2(5)ex
Hide thumbs
Also See for Catalyst 4500 Series:
- Administration manual (1814 pages) ,
- Configuration manual (1610 pages) ,
- Command reference manual (1230 pages)
Table of Contents
Advertisement
Chapter 49
Configuring 802.1X Port-Based Authentication
After you complete these two tasks and receive authorization, ACS sends the configured VLAN group to the switch. The switch
is alerted to the list of VLANs configured under the VLAN group, and the least loaded valid VLAN in the group is assigned
to the port.
Configuring 802.1X with Authentication Failed
By configuring authentication-failed VLAN alignment on any Layer 2 port on the Catalyst 4500 series switch, you can provide
limited network services to clients that fail the authentication process.
You can use authentication-failed VLAN assignment with other security features, such as Dynamic ARP
Note
Inspection (DAI), Dynamic Host Configuration Protocol (DHCP) snooping, and IP Source Guard. Each
of these features can be enabled and disabled independently on the authentication-failed VLAN.
To configure 802.1X with authentication-failed VLAN assignment, perform this task:
Command
Step 1
Switch# configure terminal
Step 2
Switch(config)# interface
interface-id
Step 3
Switch(config-if)# switchport mode
access
Step 4
Switch(config-if)# authentication
port-control auto
Step 5
Cisco IOS Release 12.2(50)SG and later
Switch(config-if)# authentication
event fail action authorize vlan
vlan-id
Cisco IOS Release 12.2(46)SG or earlier
releases
Switch(config-if)# dot1x auth-fail
vlan vlan-id
Step 6
Cisco IOS Release 12.2(50)SG and later
Switch(config-if)# authentication
event fail retry max-attempts
action [authorize vlan vlan-id |
next-method]
Cisco IOS Release 12.2(46)SG or earlier
releases
Switch(config-if)# dot1x auth-fail
max-attempts max-attempts
Step 7
Switch(config-if)# end
Step 8
Switch(config)# end
Step 9
Switch# show dot1x interface
interface-id details
Step 10
Switch# copy running-config
startup-config
Purpose
Enters global configuration mode.
Enters interface configuration mode and specifies the interface to be
enabled for 802.1X authentication.
Specifies a nontrunking, nontagged single VLAN Layer 2 interface.
Enables 802.1X authentication on the interface.
Enables authentication-failed VLAN on a particular interface.
To disable the authentication-failed VLAN feature on a particular port,
use the no authentication event fail action authorize vlan interface
configuration command.
Configure a maximum number of attempts before the port is moved to
authentication-failed VLAN.
Default is 3 attempts.
Returns to configuration mode.
Returns to privileged EXEC mode.
(Optional) Verifies your entries.
(Optional) Saves your entries in the configuration file.
Catalyst 4500 Series Switch, Cisco IOS Software Configuration Guide - Cisco IOS XE 3.9.xE and IOS 15.2(5)Ex
Configuring 802.1X Port-Based Authentication
49-71
Advertisement
Chapters
Table of Contents
Troubleshooting
