Using 802.1X With Guest Vlan; Using 802.1X With Per-User Acls - Cisco Catalyst 3750 Software Configuration Manual

Understanding 802.1x Port-Based Authentication
To configure VLAN assignment you need to perform these tasks:
•
•
•
For examples of tunnel attributes, see the
Attributes" section on page

Using 802.1x with Guest VLAN

You can configure a guest VLAN for each 802.1x port on the switch to provide limited services to clients
(for example, how to download the 802.1x client). These clients might be upgrading their system for
802.1x authentication, and some hosts, such as Windows 98 systems, might not be 802.1x-capable.
When the authentication server does not receive a response to its EAPOL request/identity frame, clients
that are not 802.1x-capable are put into the guest VLAN for the port, if one is configured. However, the
server does not grant 802.1x-capable clients that fail authentication access to the network. Any number
of hosts are allowed access when the switch port is moved to the guest VLAN. If an 802.1x-capable host
joins the same port on which the guest VLAN is configured, the port is put into the unauthorized state
in the user-configured access VLAN, and authentication is restarted.
Guest VLANs are supported on 802.1x ports in single-host or multiple-hosts mode.
You can configure any active VLAN except an RSPAN VLAN or a voice VLAN as an 802.1x guest
VLAN. The guest VLAN feature is not supported on internal VLANs (routed ports) or trunk ports; it is
supported only on access ports.
For more information, see the

Using 802.1x with Per-User ACLs

You can enable per-user access control lists (ACLs) to provide different levels of network access and
service to an 802.1x-authenticated user. When the RADIUS server authenticates a user connected to an
802.1x port, it retrieves the ACL attributes based on the user identity and sends them to the switch. The
switch applies the attributes to the 802.1x port for the duration of the user session. The switch removes
the per-user ACL configuration when the session is over, if authentication fails, or if a link-down
condition occurs. The switch does not save RADIUS-specified ACLs in the running configuration. When
the port is unauthorized, the switch removes the ACL from the port.
You can configure router ACLs and input port ACLs. However, a port ACL takes precedence over a
router ACL. If you apply input port ACL to a port that belongs to a VLAN, the port ACL takes
precedence over an input router ACL applied to the VLAN interface. Incoming packets received on the
Catalyst 3750 Metro Switch Software Configuration Guide
8-8
Enable AAA authorization by using the network keyword to allow port configuration from the
RADIUS server.
Enable 802.1x. (The VLAN assignment feature is automatically enabled when you configure 802.1x
on an access port).
Assign vendor-specific tunnel attributes in the RADIUS server. The RADIUS server must return
these attributes to the switch:
– [64] Tunnel-Type = VLAN
– [65] Tunnel-Medium-Type = 802
– [81] Tunnel-Private-Group-ID = VLAN name or VLAN ID
Attribute [64] must contain the value VLAN (type 13). Attribute [65] must contain the value 802
(type 6). Attribute [81] specifies the VLAN name or VLAN ID assigned to the 802.1x-authenticated
user.
7-29.
Chapter 8
"Configuring the Switch to Use Vendor-Specific RADIUS
"Configuring a Guest VLAN" section on page
Configuring 802.1x Port-Based Authentication
8-18.
78-15870-01