Configuring 802.1X With Inaccessible Authentication Bypass - Cisco Catalyst 4500 Series Configuration Manual

Configuring 802.1X Port-Based Authentication
QuietPeriod
ServerTimeout
SuppTimeout
ReAuthPeriod
ReAuthMax
MaxReq
TxPeriod
RateLimitPeriod
Mac-Auth-Bypass
Dot1x Authenticator Client List
-------------------------------
Supplicant
Auth SM State
Auth BEND SM Stat = IDLE
Port Status
Authentication Method
Authorized By
Vlan Policy
Switch#

Configuring 802.1X with Inaccessible Authentication Bypass

Caution You must configure the switch to monitor the state of the RADIUS server as described in the section
Configuring Switch-to-RADIUS-Server Communication, page 44-32
Bypass to work properly. Specifically, you must configure the RADIUS test username, idle-time,
deadtime and dead-criteria. Failure to do so results in the switch failing to detect that the RADIUS server
has gone down, or prematurely marking a dead RADIUS server as alive again.
To configure a port as a critical port and to enable the Inaccessible Authentication Bypass feature,
perform this task:
Command
Step 1
Switch# configure terminal
Step 2
Switch(config)# dot1x critical
eapol
Software Configuration Guide—Release IOS XE 3.3.0SG and IOS 15.1(1)SG
44-60
= 60
= 30
= 30
= 3600 (Locally configured)
= 2
= 2
= 1
= 0
= Enabled
= 0000.0000.0001
= AUTHENTICATED
= AUTHORIZED
= MAB
= Authentication Server
= N/A
Purpose
Enters global configuration mode.
(Optional) Configures whether to send an EAPOL-Success packet when
a port is critically authorized partway through an EAP exchange.
Note Some supplicants require this.
The default is not to send EAPOL-Success packets when a port is
critically authorized partway through an EAP exchange. If there is no
ongoing EAP exchange at the time when a port is critically authorized,
EAPOL-Success packet is always sent out regardless of this option.
Chapter 44 Configuring 802.1X Port-Based Authentication
for Inaccessible Authentication
OL-25340-01