Vlan Id-Based Mac Authentication; 802.1X Authentication With Guest Vlan - Cisco Catalyst 2960-XR Security Configuration Manual

VLAN ID-based MAC Authentication

VLAN ID-based MAC Authentication
You can use VLAN ID-based MAC authentication if you wish to authenticate hosts based on a static VLAN
ID instead of a downloadable VLAN. When you have a static VLAN policy configured on your switch, VLAN
information is sent to an IAS (Microsoft) RADIUS server along with the MAC address of each host for
authentication. The VLAN ID configured on the connected port is used for MAC authentication. By using
VLAN ID-based MAC authentication with an IAS server, you can have a fixed number of VLANs in the
network.
The feature also limits the number of VLANs monitored and handled by STP. The network can be managed
as a fixed VLAN.
This feature is not supported on Cisco ACS Server. (The ACS server ignores the sent VLAN-IDs for new
Note
hosts and only authenticates based on the MAC address.)

802.1x Authentication with Guest VLAN

You can configure a guest VLAN for each 802.1x port on the switch to provide limited services to clients,
such as downloading the 802.1x client. These clients might be upgrading their system for 802.1x authentication,
and some hosts, such as Windows 98 systems, might not be IEEE 802.1x-capable.
When you enable a guest VLAN on an 802.1x port, the switch assigns clients to a guest VLAN when the
switch does not receive a response to its EAP request/identity frame or when EAPOL packets are not sent by
the client.
The switch maintains the EAPOL packet history. If an EAPOL packet is detected on the interface during the
lifetime of the link, the switch determines that the device connected to that interface is an IEEE 802.1x-capable
supplicant, and the interface does not change to the guest VLAN state. EAPOL history is cleared if the interface
link status goes down. If no EAPOL packet is detected on the interface, the interface changes to the guest
VLAN state.
If the switch is trying to authorize an 802.1x-capable voice device and the AAA server is unavailable, the
authorization attempt fails, but the detection of the EAPOL packet is saved in the EAPOL history. When the
AAA server becomes available, the switch authorizes the voice device. However, the switch no longer allows
other devices access to the guest VLAN. To prevent this situation, use one of these command sequences:
• Enter the authentication event no-response action authorize vlan vlan-id interface configuration
• Enter the shutdown interface configuration command followed by the no shutdown interface
Use a restricted VLAN to allow clients that failed authentication access to the network by entering the dot1x
auth-fail vlan vlan-id interface configuration command.
If devices send EAPOL packets to the switch during the lifetime of the link, the switch no longer allows clients
that fail authentication access to the guest VLAN.
Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1
232
command to allow access to the guest VLAN.
configuration command to restart the port.
Configuring IEEE 802.1x Port-Based Authentication
OL-29434-01