Cisco Catalyst 3560X-24P Command Reference Manual page 59

Chapter 2 Catalyst 3750-X and 3560-X Switch Cisco IOS Commands
Usage Guidelines Use this command with the fail, no-response, or event keywords to configure the switch response for a
specific action.
For server-dead events:
•
•
For no-response events:
•
•
•
•
OL-21522-02
When the switch moves to the critical-authentication state, new hosts trying to authenticate are
moved to the critical-authentication VLAN (or critical VLAN). This applies whether the port is in
single-host, multiple-host, multiauth, or MDA mode. Authenticated hosts remain in the
authenticated VLAN, and the reauthentication timers are disabled.
If a client is running Windows XP and the critical port to which the client is connected is in the
critical-authentication state, Windows XP might report that the interface is not authenticated.
If the Windows XP client is configured for DHCP and has an IP address from the DHCP server and
a critical port receives an EAP-Success message, the DHCP configuration process might not
re-initiate.
If you enable a guest VLAN on an IEEE 802.1x port, the switch assigns clients to a guest VLAN
when it does not receive a response to its Extensible Authentication Protocol over LAN (EAPOL)
request/identity frame or when EAPOL packets are not sent by the client.
The switch maintains the EAPOL packet history. If another EAPOL packet is detected on the port
during the lifetime of the link, the guest VLAN feature is disabled. If the port is already in the guest
VLAN state, the port returns to the unauthorized state, and authentication restarts. The EAPOL
history is cleared.
If the switch port is moved to the guest VLAN (multi-host mode), multiple non-IEEE
802.1x-capable clients are allowed access . If an IEEE 802.1x-capable client joins the same port on
which the guest VLAN is configured, the port is put in the unauthorized state in the
RADIUS-configured or user-configured access VLAN, and authentication restarts.
You can configure any active VLAN except a Remote Switched Port Analyzer (RSPAN) VLAN, a
primary private VLAN, or a voice VLAN as an IEEE 802.1x guest VLAN. The guest VLAN feature
is supported only on access ports. It is not supported on internal VLANs (routed ports) or trunk
ports.
When MAC authentication bypass is enabled on an IEEE 802.1x port, the switch can authorize
clients based on the client MAC address if IEEE 802.1x authentication times out while waiting for
an EAPOL message exchange. After detecting a client on an IEEE 802.1x port, the switch waits for
an Ethernet packet from the client. The switch sends the authentication server a
RADIUS-access/request frame with a username and password based on the MAC address.
If authorization succeeds, the switch grants the client access to the network.
–
If authorization fails, the switch assigns the port to the guest VLAN if one is specified.
–
For more information, see the "Using IEEE 802.1x Authentication with MAC Authentication
Bypass" section in the "Configuring IEEE 802.1x Port-Based Authentication" chapter of the
software configuration guide.
Catalyst 3750-X and 3560-X Switch Command Reference
authentication event
2-27