Authentication Process - Cisco Catalyst 3750-X Software Configuration Manual
Hide thumbs
Also See for Catalyst 3750-X:
- Command reference manual (1244 pages) ,
- Message manual (150 pages) ,
- Getting started manual (22 pages)
Table of Contents
Advertisement
Understanding IEEE 802.1x Port-Based Authentication
Authentication Process
When 802.1x port-based authentication is enabled and the client supports 802.1x-compliant client
software, these events occur:
•
•
•
•
Note
Figure 11-2
If Multi Domain Authentication (MDA) is enabled on a port, this flow can be used with some exceptions
that are applicable to voice authorization. For more information on MDA, see
Authentication" section on page
Catalyst 3750-X and 3560-X Switch Software Configuration Guide
11-4
The devices that can act as intermediaries include the Catalyst 3750-X, Catalyst 3750-E, Catalyst
3750, Catalyst 3650-X, Catalyst 3560-E, Catalyst 3560, Catalyst 3550, Catalyst 2970, Catalyst
2960, Catalyst 2955, Catalyst 2950, Catalyst 2940 switches, or a wireless access point. These
devices must be running software that supports the RADIUS client and IEEE 802.1x authentication.
If the client identity is valid and the 802.1x authentication succeeds, the switch grants the client
access to the network.
If 802.1x authentication times out while waiting for an EAPOL message exchange and MAC
authentication bypass is enabled, the switch can use the client MAC address for authorization. If the
client MAC address is valid and the authorization succeeds, the switch grants the client access to the
network. If the client MAC address is invalid and the authorization fails, the switch assigns the client
to a guest VLAN that provides limited services if a guest VLAN is configured.
If the switch gets an invalid identity from an 802.1x-capable client and a restricted VLAN is
specified, the switch can assign the client to a restricted VLAN that provides limited services.
If the RADIUS authentication server is unavailable (down) and inaccessible authentication bypass
is enabled, the switch grants the client access to the network by putting the port in the
critical-authentication state in the RADIUS-configured or the user-specified access VLAN.
Inaccessible authentication bypass is also referred to as critical authentication or the AAA fail
policy.
shows the authentication process.
Chapter 11
11-27.
Configuring IEEE 802.1x Port-Based Authentication
"Multidomain
OL-21521-01
- Quick Links:
- Table of Contents
- Deployment Features
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
