X Authentication With Restricted Vlan; X Authentication With Inaccessible Authentication Bypass - Cisco IE-4000 Software Configuration Manual

Configuring IEEE 802.1x Port-Based Authentication
Information About Configuring IEEE 802.1x Port-Based Authentication

802.1x Authentication with Restricted VLAN

You can configure a restricted VLAN (also referred to as an authentication failed VLAN) for each 802.1x port on a switch
to provide limited services to clients that cannot access the guest VLAN. These clients are 802.1x-compliant and cannot
access another VLAN because they fail the authentication process. A restricted VLAN allows users without valid
credentials in an authentication server (typically, visitors to an enterprise) to access a limited set of services. The
administrator can control the services available to the restricted VLAN.
Note: You can configure a VLAN to be both the guest VLAN and the restricted VLAN if you want to provide the same
services to both types of users.
Without this feature, the client attempts and fails authentication indefinitely, and the switch port remains in the
spanning-tree blocking state. With this feature, you can configure the switch port to be in the restricted VLAN after a
specified number of authentication attempts (the default value is 3 attempts).
The authenticator counts the failed authentication attempts for the client. When this count exceeds the configured
maximum number of authentication attempts, the port moves to the restricted VLAN. The failed attempt count increments
when the RADIUS server replies with either an EAP failure or an empty response without an EAP packet. When the port
moves into the restricted VLAN, the failed attempt counter resets.
Users who fail authentication remain in the restricted VLAN until the next reauthentication attempt. A port in the restricted
VLAN tries to reauthenticate at configured intervals (the default is 60 seconds). If reauthentication fails, the port remains
in the restricted VLAN. If reauthentication is successful, the port moves either to the configured VLAN or to a VLAN sent
by the RADIUS server. You can disable reauthentication. If you do this, the only way to restart the authentication process
is for the port to receive a link down or EAP logoff event. We recommend that you keep reauthentication enabled if a
client might connect through a hub. When a client disconnects from the hub, the port might not receive the link down or
EAP logoff event.
After a port moves to the restricted VLAN, a simulated EAP success message is sent to the client. This prevents clients
from indefinitely attempting authentication. Some clients (for example, devices running Windows XP) cannot implement
DHCP without EAP success.
Restricted VLANs are supported only on 802.1x ports in single-host mode and on Layer 2 ports.
You can configure any active VLAN except an RSPAN VLAN, a primary private VLAN, or a voice VLAN as an 802.1x
restricted VLAN. The restricted VLAN feature is not supported on internal VLANs (routed ports) or trunk ports; it is
supported only on access ports.
Other security features such as dynamic ARP inspection, DHCP snooping, and IP source guard can be configured
independently on a restricted VLAN.
For more information, see

802.1x Authentication with Inaccessible Authentication Bypass

Use the inaccessible authentication bypass feature, also referred to as critical authentication or the AAA fail policy, when
the switch cannot reach the configured RADIUS servers and new hosts cannot be authenticated. You can configure the
switch to connect those hosts to critical ports.
When a new host tries to connect to the critical port, that host is moved to a user-specified access VLAN, the critical
VLAN. The administrator gives limited authentication to the hosts.
When the switch tries to authenticate a host connected to a critical port, the switch checks the status of the configured
RADIUS server. If a server is available, the switch can authenticate the host. However, if all the RADIUS servers are
unavailable, the switch grants network access to the host and puts the port in the critical-authentication state, which is
a special case of the authentication state.
Configuring a Restricted VLAN, page 226.
207