Table of Contents
Advertisement
Configuring IEEE 802.1x Port-Based Authentication
Information About Configuring IEEE 802.1x Port-Based Authentication
Support on Multiple-Authentication Ports
When a port is configured on any host mode and the AAA server is unavailable, the port is then configured to multi-host
mode and moved to the critical VLAN. To support this inaccessible bypass on multiple-authentication (multiauth) ports,
use the authentication event server dead action reinitialize vlan vlan-id command. When a new host tries to connect
to the critical port, that port is reinitialized and all the connected hosts are moved to the user-specified access VLAN.
This command is supported on all host modess.
Authentication Results
The behavior of the inaccessible authentication bypass feature depends on the authorization state of the port:
If the port is unauthorized when a host connected to a critical port tries to authenticate and all servers are unavailable,
the switch puts the port in the critical-authentication state in the RADIUS-configured or user-specified access VLAN.
If the port is already authorized and reauthentication occurs, the switch puts the critical port in the
critical-authentication state in the current VLAN, which might be the one previously assigned by the RADIUS server.
If the RADIUS server becomes unavailable during an authentication exchange, the current exchange times out, and
the switch puts the critical port in the critical-authentication state during the next authentication attempt.
You can configure the critical port to reinitialize hosts and move them out of the critical VLAN when the RADIUS server
is again available. When this is configured, all critical ports in the critical-authentication state are automatically
reauthenticated. For more information, see
Feature Interactions
Inaccessible authentication bypass interacts with these features:
Guest VLAN—Inaccessible authentication bypass is compatible with guest VLAN. When a guest VLAN is enabled on
8021.x port, the features interact as follows:
—
If at least one RADIUS server is available, the switch assigns a client to a guest VLAN when the switch does not
receive a response to its EAP request/identity frame or when EAPOL packets are not sent by the client.
—
If all the RADIUS servers are not available and the client is connected to a critical port, the switch authenticates
the client and puts the critical port in the critical-authentication state in the RADIUS-configured or
user-specified access VLAN.
—
If all the RADIUS servers are not available and the client is not connected to a critical port, the switch might not
assign clients to the guest VLAN if one is configured.
—
If all the RADIUS servers are not available and if a client is connected to a critical port and was previously
assigned to a guest VLAN, the switch keeps the port in the guest VLAN.
Restricted VLAN—If the port is already authorized in a restricted VLAN and the RADIUS servers are unavailable, the
switch puts the critical port in the critical-authentication state in the restricted VLAN.
802.1x accounting—Accounting is not affected if the RADIUS servers are unavailable.
Private VLAN—You can configure inaccessible authentication bypass on a private VLAN host port. The access VLAN
must be a secondary private VLAN.
Voice VLAN—Inaccessible authentication bypass is compatible with voice VLAN, but the RADIUS-configured or
user-specified access VLAN and the voice VLAN must be different.
Remote Switched Port Analyzer (RSPAN)—Do not configure an RSPAN VLAN as the RADIUS-configured or
user-specified access VLAN for inaccessible authentication bypass.
Configuring Inaccessible Authentication Bypass, page
208
227.
- Quick Links:
- Configuration Overview
Hide quick links:
Advertisement
Chapters
Table of Contents
Troubleshooting
