Table of Contents
Advertisement
Chapter 40
Configuring 802.1X Authentication
Understanding How 802.1X Authentication for the Guest VLAN Works
This section describes the 802.1X authentication for the guest VLANs.
A guest VLAN enables the non-802.1X capable hosts to access the networks that use 802.1X
authentication. You can use the guest VLANs while you are upgrading your system to support the
802.1X authentication.
When you configure a VLAN as an 802.1X guest VLAN, all the non-802.1X capable hosts are put in
this VLAN. You can configure any VLAN (except for the private VLANs and RSPAN VLANs) as a guest
VLAN. If a port is already forwarding on the guest VLAN and you enable 802.1X support on the network
interface of the host, the port is immediately moved out of the guest VLAN and the authenticator waits
for authentication to occur.
In software release 8.6(1) and later releases, a private VLAN and a secondary VLAN can be configured as
Note
the guest VLAN. For more information, see the
section on page
Enabling 802.1X authentication on a port starts the 802.1X protocol. If the host fails to respond to the
packets from the authenticator within a certain amount of time, the authenticator puts the port in the
guest VLAN.
The guest VLANs are supported in both single-authentication mode and multiple-host mode.
Note
Contrast the guest VLAN feature with the authentication failure VLAN feature. On a traditional 802.1X
port, the switch does not provide access to the network until the supplicant that is connected to the port
is authenticated by verifying its identity information with an authentication server. With an authentication
failure VLAN, you can configure the authentication failure VLAN on a per-port basis and after three failed
802.1X authentication attempts by the supplicant, the port is moved to the authentication failure VLAN where
the supplicant can access the network.
An authentication failure VLAN is independent of the guest VLAN. However, the guest VLAN can be
the same VLAN as the authentication failure VLAN. If you do not want to differentiate between the
non-802.1X capable hosts and the authentication failed hosts, you may configure both hosts to the same
VLAN (either a guest VLAN or an authentication failure VLAN).
For more information, see the
Usage Guidelines for 802.1X Authentication with the Guest VLANs on Windows-XP Hosts
This section describes the usage guidelines for configuring 802.1X authentication with the guest VLANs
on Windows-XP hosts:
•
•
OL-8978-04
40-41.
If a guest VLAN is enabled on a port, that port cannot be configured as a unidirectional port, and
conversely, a unidirectional port cannot be configured in a guest VLAN.
If the host fails to respond to the authenticator, the port remains in the connecting state for
180 seconds. After this time, the login/password window does not appear on the host. The
workaround is to have the user unplug and then reconnect the network interface cable.
"Configuring 802.1X Authentication with Private VLANs"
"Configuring the Authentication Failure VLAN" section on page
Catalyst 6500 Series Switch Software Configuration Guide—Release 8.7
Understanding How 802.1X Authentication Works
40-38.
40-9
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
