Using 802.1X With Web-Based Authentication - Cisco Catalyst 4500 series Administration Manual

Chapter 46 Configuring 802.1X Port-Based Authentication
•
•
•
•

Using 802.1X with Web-Based Authentication

The web-based authentication feature, known as Web Authentication Proxy, allows you to authenticate
end users on host systems that do not run the IEEE 802.1X supplicant.
When configuring web-based authentication, consider these guidelines:
•
•
•
For detailed information on configuring web-based authentication, see
Web-Based Authentication."
Using 802.1X with Inaccessible Authentication Bypass
When a switch cannot reach the configured RADIUS servers and clients (supplicants) cannot be
authenticated, you can configure a switch to allow network access to hosts connected to critical ports
that are enabled for Inaccessible Authentication Bypass.
When Inaccessible Authentication Bypass is enabled, a switch monitors the status of the configured
RADIUS servers. If no RADIUS servers are available, clients that fail authentication due to server
unavailability are authorized. Inaccessible Authentication Bypass can be enabled for data clients and
voice clients. For data clients, you can specify an Inaccessible Authentication Bypass VLAN on a
per-port basis. For voice clients they are authorized in the configured voice vlan. Inaccessible
Authentication Bypass for voice clients can activate in Multiple Domain Authentication and Multiple
Authentication modes, in which authentication is enforced for voice devices.
OL_28731-01
When both MAB and guest VLAN are configured and no EAPOL packets are received on a port, the
802.1X state-machine is moved to a MAB state where it opens the port to listen to traffic and grab
MAC addresses. The port remains in this state forever waiting to see a MAC on the port. A detected
MAC address that fails authorization causes the port to be moved to the guest VLAN if configured.
While in a guest VLAN, a port is open to all traffic on the specified guest VLAN. Non-802.1X
supplicants that normally would be authorized but are in guest VLAN due to the earlier detection of
a device that failed authorization, would remain in the guest VLAN indefinitely. However, loss of
link or the detection of an EAPOL on the wire causes a transition out of the guest VLAN and back
to the default 802.1X mode.
Once a new MAC is authenticated by MAB, the responsibility to limit access belongs to the 802.1X
authenticator (or port security) to secure the port. The 802.1X default host parameter is defined only
for a single host. If the port is changed to multiple- user host, port security must be used to enforce
the number of MAC addresses allowed through this port.
Catalyst 4500 series switch supports MAB with VVID, with the restriction that the MAC address
appears on a port data VLAN only. All IP phone MACs learned using CDP are allowed on voice
VLANs.
MAB and VMPS are mutually exclusive because their functionality overlaps.
Fallback to web-based authentication is configured on switch ports in access mode. Ports in trunk
mode are not supported.
Fallback to web-based authentication is not supported on EtherChannels or EtherChannel members.
Although fallback to web-based authentication is an interface-specific configuration, the web-based
authentication fallback behavior is defined in a global fallback profile. If the global fallback
configuration changes, the new profile is not used until the next instance of authentication fallback.
Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
About 802.1X Port-Based Authentication
Chapter 48, "Configuring
46-15