Cisco Catalyst 3750-X Software Configuration Manual page 295

Chapter 11 Configuring IEEE 802.1x Port-Based Authentication
Figure 11-2 Authentication Flowchart
Start
Is the client IEEE
802.1x capable?
Yes
Start IEEE 802.1x port-based
authentication.
Client
identity is
invalid
Assign the port to Assign the port to
a restricted VLAN.
Done
All authentication
servers are down.
Use inaccessible
authentication bypass
(critical authentication)
to assign the critical
port to a VLAN.
Done
The switch re-authenticates a client when one of these situations occurs:
•
OL-21521-01
No
IEEE 802.1x authentication
process times out.
The switch gets an
EAPOL message,
and the EAPOL
message
exchange begins.
Client
identity is
valid
a VLAN.
Done
1 = This occurs if the switch does not detect EAPOL packets from the client.
Periodic re-authentication is enabled, and the re-authentication timer expires.
You can configure the re-authentication timer to use a switch-specific value or to be based on values
from the RADIUS server.
After 802.1x authentication using a RADIUS server is configured, the switch uses timers based on
the Session-Timeout RADIUS attribute (Attribute[27]) and the Termination-Action RADIUS
attribute (Attribute [29]).
The Session-Timeout RADIUS attribute (Attribute[27]) specifies the time after which
re-authentication occurs.
Understanding IEEE 802.1x Port-Based Authentication
Is MAC authentication
bypass enabled?
Yes
Use MAC authentication
1
bypass.
Client MAC Client MAC
address address
identity identity
is valid. is invalid.
Assign the port to Assign the port to
a VLAN. a guest VLAN.
Done
All authentication
servers are down.
Catalyst 3750-X and 3560-X Switch Software Configuration Guide
1
No
1
Done
11-5