Usage Guidelines For Using Authentication Failed Vlan Assignment - Cisco Catalyst 4500 series Administration Manual

Chapter 46 Configuring 802.1X Port-Based Authentication
You can set the maximum number of authentication attempts that the authenticator sends before moving
a port into the authentication-failed VLAN. The authenticator keeps a count of the failed authentication
attempts for each port. A failed authentication attempt is either an empty response or an EAP failure.
The authenticator tracks any mix of failed authentication attempts towards the authentication attempt
count. After the maximum number of attempts is reached the port is placed in the authentication-failed
VLAN until the reauthentication timer expires again.
RADIUS can send a response without an EAP packet in it when it does not support EAP, and sometimes
Note
third-party RADIUS servers also send empty responses. When this behavior occurs, the authentication
attempt counter is incremented.
For details on how to configure Authentication Failed VLAN Assignment, see the
with Authentication Failed" section on page

Usage Guidelines for Using Authentication Failed VLAN Assignment

Usage guidelines include the following:
•
•
•
•
•
•
•
OL_28731-01
You should enable reauthentication. The ports in authentication-failed VLANs do not receive
reauthentication attempts if reauthentication is disabled. To start the reauthentication process the
authentication-failed VLAN must receive a link-down event or an EAP logoff event from the port.
If the host is behind a hub, you may never get a link-down event and may not detect the new host
until the next reauthentication occurs.
EAP failure messages are not sent to the user. If the user failures authentication the port is moved
to an authentication-failed VLAN and a EAP success message is sent to the user. Because the user
is not notified of the authentication failure there may be confusion as to why there is restricted
access to the network. A EAP Success message is sent for the following reasons:
If the EAP Success message is not sent, the user tries to authenticate every 60 seconds (by
–
default) by sending an EAP-start message.
In some cases, users have configured DHCP to EAP-Success and unless the user sees a success,
–
DHCP does not work on the port.
Sometimes a user caches an incorrect username and password combination after receiving a EAP
success message from the authenticator and reuses that information in every reauthentication. Until
the user passes the correct username and password combination the port remains in the
authentication-failed VLAN.
When an authentication failed port is moved to an unauthorized state the authentication process is
restarted. If you should fail the authentication process again the authenticator waits in the held state.
After you have correctly reauthenticated all 802.1X ports are reinitialized and treated as normal
802.1X ports.
When you reconfigure an authentication-failed VLAN to a different VLAN, any authentication
failed ports are also moved and the ports stay in their current authorized state.
When you shut down or remove an authentication-failed VLAN from the VLAN database, any
authentication failed ports are immediately moved to an unauthorized state and the authentication
process is restarted. The authenticator does not wait in a held state because the authentication-failed
VLAN configuration still exists. While the authentication-failed VLAN is inactive, all
authentication attempts are counted, and as soon as the VLAN becomes active the port is placed in
the authentication-failed VLAN.
If you reconfigure the maximum number of authentication failures allowed by the VLAN, the
change takes affect after the reauthentication timer expires.
46-72.
Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
About 802.1X Port-Based Authentication
"Configuring 802.1X
46-19