Using Ieee 802.1X With Guest Vlan - Cisco Catalyst 2950 Software Configuration Manual
Hide thumbs
Also See for Catalyst 2950:
- Configuration manual (710 pages) ,
- Command reference manual (686 pages) ,
- Software configuration manual (544 pages)
Table of Contents
Advertisement
Chapter 9
Configuring IEEE 802.1x Port-Based Authentication
•
•
•
When the port is in the force authorized, force unauthorized, unauthorized, or shutdown state, it is placed
in the configured access VLAN.
If an IEEE 802.1x port is authenticated and put in the RADIUS-server assigned VLAN, any change to
the port access VLAN configuration does not take effect.
The IEEE 802.1x with VLAN assignment feature is not supported on trunk ports, dynamic ports, or with
dynamic-access port assignment through a VLAN Membership Policy Server (VMPS).
To configure VLAN assignment you need to perform these tasks:
•
•
•
For examples of tunnel attributes, see the
Attributes" section on page
Using IEEE 802.1x with Guest VLAN
You can configure a guest VLAN for each IEEE 802.1x port on the switch to provide limited services
to clients, such as downloading the IEEE 802.1x client. These clients might be upgrading their system
for IEEE 802.1x authentication, and some hosts, such as Windows 98 systems, might not be IEEE
802.1x-capable.
When you enable a guest VLAN on an IEEE 802.1x port, the switch assigns clients to a guest VLAN
when the authentication server does not receive a response to its EAPOL request/identity frame or when
EAPOL packets are not sent by the client.
Before Cisco IOS Release 12.1(22)EA2, the switch did not maintain the EAPOL packet history and
allowed clients that failed authentication access to the guest VLAN, regardless of whether EAPOL
packets had been detected on the interface. You can enable this optional behavior by using the dot1x
guest-vlan supplicant global configuration command.
With Cisco IOS Release 12.1(22)EA2 and later, the switch maintains the EAPOL packet history. If
another EAPOL packet is detected on the interface during the lifetime of the link, network access is
denied. The EAPOL history is reset upon loss of the link.
78-11380-12
If the multiple-hosts mode is enabled on an IEEE 802.1x port, all hosts are placed in the same VLAN
(specified by the RADIUS server) as the first authenticated host.
If IEEE 802.1x and port security are enabled on a port, the port is placed in the RADIUS-server
assigned VLAN.
If IEEE 802.1x is disabled on the port, it is returned to the configured access VLAN.
Enable AAA authorization.
Enable IEEE 802.1x (the VLAN assignment feature is automatically enabled when you configure
IEEE 802.1x on an access port).
Assign vendor-specific tunnel attributes in the RADIUS server. The RADIUS server must return
these attributes to the switch:
[64] Tunnel-Type = VLAN
–
–
[65] Tunnel-Medium-Type = IEEE 802
[81] Tunnel-Private-Group-ID = VLAN name or VLAN ID
–
Attribute [64] must contain the value VLAN (type 13). Attribute [65] must contain the value IEEE
802 (type 6). Attribute [81] specifies the VLAN name or VLAN ID assigned to the IEEE
802.1x-authenticated user.
8-29.
Understanding IEEE 802.1x Port-Based Authentication
"Configuring the Switch to Use Vendor-Specific RADIUS
Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide
9-9
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
