Using Ieee 802.1X Authentication With Inaccessible Authentication Bypass - Cisco IE 3000 Software Configuration Manual
Hide thumbs
Also See for IE 3000:
- Hardware installation manual (186 pages) ,
- Getting started manual (32 pages) ,
- Software configuration manual (874 pages)
Table of Contents
Advertisement
Chapter 10
Configuring IEEE 802.1x Port-Based Authentication
Restricted VLANs are supported only on IEEE 802.1x ports in single-host mode and on Layer 2 ports.
You can configure any active VLAN except an RSPAN VLAN or a voice VLAN as an IEEE 802.1x
restricted VLAN. The restricted VLAN feature is not supported on trunk ports; it is supported only on
access ports.
This feature works with port security. As soon as the port is authorized, a MAC address is provided to
port security. If port security does not permit the MAC address or if the maximum secure address count
is reached, the port becomes unauthorized and error disabled.
Other port security features such as dynamic ARP Inspection, DHCP snooping, and IP source guard can
be configured independently on a restricted VLAN.
For more information, see the
Using IEEE 802.1x Authentication with Inaccessible Authentication Bypass
When the switch cannot reach the configured RADIUS servers and hosts cannot be authenticated, you
can configure the switch to allow network access to the hosts connected to critical ports. A critical port
is enabled for the inaccessible authentication bypass feature, also referred to as critical authentication
or the AAA fail policy.
When this feature is enabled, the switch checks the status of the configured RADIUS servers whenever
the switch tries to authenticate a host connected to a critical port. If a server is available, the switch can
authenticate the host. However, if all the RADIUS servers are unavailable, the switch grants network
access to the host and puts the port in the critical-authentication state, which is a special case of the
authentication state.
The behavior of the inaccessible authentication bypass feature depends on the authorization state of the
port:
•
•
•
When a RADIUS server that can authenticate the host is available, all critical ports in the
critical-authentication state are automatically re-authenticated.
Inaccessible authentication bypass interacts with these features:
•
OL-13018-01
If the port is unauthorized when a host connected to a critical port tries to authenticate and all servers
are unavailable, the switch puts the port in the critical-authentication state in the
RADIUS-configured or user-specified access VLAN.
If the port is already authorized and re-authentication occurs, the switch puts the critical port in the
critical-authentication state in the current VLAN, which might be the one previously assigned by
the RADIUS server.
If the RADIUS server becomes unavailable during an authentication exchange, the current
exchanges times out, and the switch puts the critical port in the critical-authentication state during
the next authentication attempt.
Guest VLAN—Inaccessible authentication bypass is compatible with guest VLAN. When a guest
VLAN is enabled on IEEE 8021.x port, the features interact as follows:
If at least one RADIUS server is available, the switch assigns a client to a guest VLAN when
–
the switch does not receive a response to its EAP request/identity frame or when EAPOL
packets are not sent by the client.
–
If all the RADIUS servers are not available and the client is connected to a critical port, the
switch authenticates the client and puts the critical port in the critical-authentication state in the
RADIUS-configured or user-specified access VLAN.
"Configuring a Restricted VLAN" section on page
Cisco IE 3000 Switch Software Configuration Guide
Understanding IEEE 802.1x Port-Based Authentication
10-32.
10-13
Advertisement
Chapters
Table of Contents
Troubleshooting
