Using 802.1X With Vlan Assignment - Cisco 4500M Software Manual
Software guide
Hide thumbs
Also See for 4500M:
- Command reference manual (578 pages) ,
- Hardware installation and maintenance manual (143 pages) ,
- Upgrade manual (24 pages)
Table of Contents
Advertisement
Chapter 31
Understanding and Configuring 802.1X Port-Based Authentication
•
If the client is successfully authenticated (receives an Accept frame from the authentication server), the
port state changes to authorized, and all frames from the authenticated client are allowed through the
port. If authentication fails, the port remains in the unauthorized state, but authentication can be retried.
If the authentication server cannot be reached, the switch can retransmit the request. If no response is
received from the server after the specified number of attempts, authentication fails and network access
is not granted.
If the link state of a port transitions from up to down, or if an EAPOL-logoff frame is received by the
port, the port returns to the unauthorized state.
Using 802.1X with VLAN Assignment
You can use the VLAN assignment to limit network access for certain users. With the VLAN assignment,
802.1X-authenticated ports are assigned to a VLAN based on the username of the client connected to
that port. The RADIUS server database maintains the username-to-VLAN mappings. After successful
802.1X authentication of the port, the RADIUS server sends the VLAN assignment to the switch.
To enable the guest VLAN feature in Release 12.1(19)EW and later releases, the port must be statically
Note
configured as an access port.
When configured on the switch and the RADIUS server, 802.1X with VLAN assignment has these
characteristics:
•
•
•
•
•
To configure VLAN assignment you need to perform these tasks:
•
•
OL-6696-01
auto—Enables 802.1X authentication and causes the port to begin in the unauthorized state,
allowing only EAPOL frames to be sent and received through the port. The authentication process
begins when the link state of the port transitions from down to up or when an EAPOL-start frame is
received. The switch requests the identity of the client and begins relaying authentication messages
between the client and the authentication server. The switch can uniquely identify each client
attempting to access the network by the client's MAC address.
If no VLAN is supplied by the RADIUS server, the port is configured in its access VLAN when
authentication succeeds.
If the authentication server provides invalid VLAN information, the port remains unauthorized. This
situation prevents ports from appearing unexpectedly in an inappropriate VLAN due to a
configuration error.
Configuration errors might occur if you specify a VLAN for a routed port, a malformed VLAN ID,
or a nonexistent or internal (routed port) VLAN ID. Similarly, an error might occur if you make an
assignment to a voice VLAN ID.
If the authentication server provides valid VLAN information, the port is authorized and placed in
the specified VLAN when authentication succeeds.
If the multiple-hosts mode is enabled, all hosts are in the same VLAN as the first authenticated user.
If 802.1X is disabled on the port, the port is returned to the configured access VLAN.
Enable AAA authorization with the network keyword to allow interface configuration from the
RADIUS server. For an illustration of how to apply the aaa authorization network group radius
command, refer to the section "Enabling 802.1X Authentication" on page 13.
Enable 802.1X. (The VLAN assignment feature is automatically enabled when you configure
802.1X on an access port.)
Understanding 802.1X Port-Based Authentication
Software Configuration Guide—Release 12.2(25)EW
31-5
Advertisement
Table of Contents
