Table of Contents
Advertisement
Chapter 8
Configuring IEEE 802.1x Port-Based Authentication
•
•
MAC Authentication Bypass
These are the MAC authentication bypass configuration guidelines:
•
•
•
•
•
Configuring 802.1x Readiness Check
The 802.1x readiness check monitors IEEE 802.1x activity on all the switch ports and displays
information about the devices connected to the ports that support IEEE 802.1x. You can use this feature
to determine if the devices connected to the switch ports are IEEE 802.1x-capable.
The 802.1x readiness check is allowed on all ports that can be configured for IEEE 802.1x. The readiness
check is not available on a port that is configured as dot1x force-unauthorized.
Follow these guidelines to enable the readiness check on the switch:
•
•
OL-8915-03
When configuring the inaccessible authentication bypass feature, follow these guidelines:
The feature is supported on IEEE 802.1x port in single-host mode and multihosts mode.
–
If the client is running Windows XP and the port to which the client is connected is in the
–
critical-authentication state, Windows XP might report that the interface is not authenticated.
If the Windows XP client is configured for DHCP and has an IP address from the DHCP server,
–
receiving an EAP-Success message on a critical port might not re-initiate the DHCP
configuration process.
You can configure the inaccessible authentication bypass feature and the restricted VLAN on
–
an IEEE 802.1x port. If the switch tries to re-authenticate a critical port in a restricted VLAN
and all the RADIUS servers are unavailable, the switch changes the port state to the critical
authentication state and remains in the restricted VLAN.
–
You can configure the inaccessible bypass feature and port security on the same switch port.
You can configure any VLAN except an RSPAN VLAN or a voice VLAN as an IEEE 802.1x
restricted VLAN. The restricted VLAN feature is not supported on internal VLANs (routed ports)
or trunk ports; it is supported only on access ports.
Unless otherwise stated, the MAC authentication bypass guidelines are the same as the IEEE 802.1x
authentication guidelines. For more information, see the
page
8-21.
If you disable MAC authentication bypass from a port after the port has been authorized with its
MAC address, the port state is not affected.
If the port is in the unauthorized state and the client MAC address is not the authentication-server
database, the port remains in the unauthorized state. However, if the client MAC address is added
to the database, the switch can use MAC authentication bypass to re-authorize the port.
If the port is in the authorized state, the port remains in this state until re-authorization occurs.
You can configure a timeout period for hosts that are connected by MAC authentication bypass but
are inactive. The range is 1-65535 seconds. You must enable port security before configuring a time
out value. For more information, see the
The readiness check is typically used before IEEE 802.1x is enabled on the switch.
If you use the dot1x test eapol-capable privileged EXEC command without specifying an interface,
all the ports on the switch stack are tested.
"Configuring Port Security" section on page
Cisco Catalyst Blade Switch 3020 for HP Software Configuration Guide
Configuring IEEE 802.1x Authentication
"IEEE 802.1x Authentication" section on
23-9.
8-23
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
