Port-Based Authentication Initiation And Message Exchange - Cisco Catalyst 2960-X Security Configuration Manual
Cisco ios release 15.0(2)ex
Hide thumbs
Also See for Catalyst 2960-X:
- Command reference manual (135 pages) ,
- Hardware installation manual (34 pages) ,
- Getting started manual (25 pages)
Table of Contents
Advertisement
Port-Based Authentication Initiation and Message Exchange
Port-Based Authentication Initiation and Message Exchange
During 802.1x authentication, the switch or the client can initiate authentication. If you enable authentication
on a port by using the authentication port-control auto interface configuration command, the switch initiates
authentication when the link state changes from down to up or periodically as long as the port remains up and
unauthenticated. The switch sends an EAP-request/identity frame to the client to request its identity. Upon
receipt of the frame, the client responds with an EAP-response/identity frame.
However, if during bootup, the client does not receive an EAP-request/identity frame from the switch, the
client can initiate authentication by sending an EAPOL-start frame, which prompts the switch to request the
client's identity.
Note
If 802.1x authentication is not enabled or supported on the network access device, any EAPOL frames
from the client are dropped. If the client does not receive an EAP-request/identity frame after three attempts
to start authentication, the client sends frames as if the port is in the authorized state. A port in the authorized
state effectively means that the client has been successfully authenticated.
When the client supplies its identity, the switch begins its role as the intermediary, passing EAP frames between
the client and the authentication server until authentication succeeds or fails. If the authentication succeeds,
the switch port becomes authorized. If the authentication fails, authentication can be retried, the port might
be assigned to a VLAN that provides limited services, or network access is not granted.
The specific exchange of EAP frames depends on the authentication method being used.
This figure shows a message exchange initiated by the client when the client uses the One-Time-Password
(OTP) authentication method with a RADIUS server.
Figure 19: Message Exchange
Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX
266
Configuring IEEE 802.1x Port-Based Authentication
OL-29048-01
Hide quick links:
Advertisement
Table of Contents
