Table of Contents
Advertisement
Understanding How 802.1X Authentication Works
Understanding How 802.1X Authentication with DHCP Works
The 802.1X authentication support for the Dynamic Host Configuration Protocol (DHCP) allows the
DHCP server to assign the IP addresses to the different classes of end users by adding the authenticated
user identity into the DHCP discovery process. This feature allows you to secure the IP addresses given to
the end users for accounting purposes and to grant the services that are based on the Layer 3 criteria. Once
the RADIUS server authenticates the supplicant, the DHCP server keeps an authenticated user identity
that is associated with the IP address lease. This authenticated user identity is then added to the DHCP
discovery process so that the different addresses can be assigned to the different classes of users.
After the successful 802.1X authentications between the supplicant and the RADIUS server, the switch
puts the port in the forwarding state and stores the attributes that it receives from the RADIUS server.
These attributes are used to map to an address pool in the DHCP server. Because the switch can act as a
DHCP Relay Agent, it can receive the DHCP messages and regenerate those messages for transmission
on another interface. When the supplicant does DHCP discovery (following authentication), the DHCP
Relay Agent on the supervisor engine receives the packet and adds the stored attributes that it received
from the RADIUS server to the DHCP discovery packet and submits the discovery broadcast again. The
mapping of user-to-IP address can be on a one-to-one, one-to-many, or many-to-many basis. The
one-to-many mapping allows the same user to authenticate through the 802.1X hosts on multiple ports.
Understanding How 802.1X Authentication on Ports Configured for Auxiliary
VLAN Traffic Works
You can enable 802.1X on a Multiple VLAN Access Port (MVAP), and you can enable an auxiliary
VLAN ID on an 802.1X port.
The ports that are configured for 802.1X authentication and an auxiliary VLAN must be in single-host
authentication mode to forward the auxiliary VLAN-tagged packets from an IP phone. Because the IP
phones do not have host PAE capability, when the auxiliary VLAN-tagged packets are received on a port
that is configured for 802.1X authentication from the IP phone, the packets are forwarded as authorized
traffic.
A host PAE that is connected behind an IP phone will be authenticated. Only the traffic from the host
PAE behind the IP phone is forwarded after authentication.
If a new host PAE is connected to an IP phone that is connected to an 802.1X-enabled auxiliary VLAN
Note
port, after removing the old host, the new host PAE will be authenticated. Only the traffic from the new
host PAE is forwarded after authentication.
Catalyst 6500 Series Switch Software Configuration Guide—Release 8.7
40-8
Chapter 40
Configuring 802.1X Authentication
OL-8978-04
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
