Usage Guidelines For Using 802.1X Authentication With Guest Vlans On Windows-Xp Hosts - Cisco Catalyst 4500 Series Configuration Manual

About 802.1X Port-Based Authentication

Usage Guidelines for Using 802.1X Authentication with Guest VLANs on Windows-XP Hosts

When using 802.1X authentication with guest VLANs on Windows-XP hosts, consider these guidelines:
•
•
Using 802.1X with MAC Authentication Bypass
The 802.1X protocol has 3 entities: client (supplicant), authenticator, and authentication server.
Typically, the host PC runs the supplicant software and tries to authenticate itself by sending its
credentials to the authenticator which in turn relays that info to the authentication server for
authentication.
However, not all hosts may have supplicant functionality. Devices that cannot authenticate themselves
using 802.1X but still need network access can use MAC Authentication Bypass (MAB), which uses the
connecting device's MAC address to grant or deny network access.
Typically, you use this feature on ports where devices such as printers are connected. Such devices do
not have 802.1X supplicant functionality.
In a typical deployment, the RADIUS server maintains a database of MAC addresses that require access.
When this feature detects a new MAC address on a port, it generates a RADIUS request with both
username and password as the device's MAC address. After authorization succeeds, the port is accessible
to the particular device using the same code path that 802.1X authentication would take when processing
an 802.1X supplicant. If authentication fails, the port moves to the guest VLAN if configured, or it
remains unauthorized.
The Catalyst 4500 series switch also supports reauthentication of MACs on a per-port level. Be aware
that the reauthentication functionality is provided by 802.1X and is not MAB specific. In the
reauthentication mode, a port stays in the previous RADIUS-sent VLAN and tries to re-authenticate
itself. If the reauthentication succeeds, the port stays in the RADIUS-sent VLAN. Otherwise, the port
becomes unauthorized and moves to the guest VLAN if one is configured.
For details on how to configure MAB, see the
section on page
Software Configuration Guide—Release IOS XE 3.3.0SG and IOS 15.1(1)SG
44-12
If the host fails to respond to the authenticator, the port attempts to connect three times (with a 30
second timeout between each attempt). After this time, the login/password window does not appear
on the host, so you must unplug and reconnect the network interface cable.
Hosts responding with an incorrect login/password fail authentication. Hosts failing authentication
are not put in the guest VLAN. The first time that a host fails authentication, the quiet-period timer
starts, and no activity occurs for the duration of the quiet-period timer. When the quiet-period timer
expires, the host is presented with the login and password window. If the host fails authentication
for the second time, the quiet-period timer starts again, and no activity occurs for the duration of the
quiet-period timer. The host is presented with the login and password window a third time. If the
host fails authentication the third time, the port is placed in the unauthorized state, and you must
disconnect and reconnect the network interface cable.
44-58.
Chapter 44 Configuring 802.1X Port-Based Authentication
"Configuring 802.1X with MAC Authentication Bypass"
OL-25340-01