Using 802.1X With Inaccessible Authentication Bypass - Cisco Catalyst 4500 Series Software Configuration Manual

About 802.1X Port-Based Authentication
Fallback to web-based authentication is not supported on EtherChannels or EtherChannel members.
•
Although fallback to web-based authentication is an interface-specific configuration, the web-based authentication
•
fallback behavior is defined in a global fallback profile. If the global fallback configuration changes, the new profile is not
used until the next instance of authentication fallback.
For detailed information on configuring web-based authentication, see

Using 802.1X with Inaccessible Authentication Bypass

When a switch cannot reach the configured RADIUS servers and clients (supplicants) cannot be authenticated, you can
configure a switch to allow network access to hosts connected to critical ports that are enabled for Inaccessible Authentication
Bypass.
When Inaccessible Authentication Bypass is enabled, a switch monitors the status of the configured RADIUS servers. If no
RADIUS servers are available, clients that fail authentication due to server unavailability are authorized. Inaccessible
Authentication Bypass can be enabled for data clients and voice clients. For data clients, you can specify an Inaccessible
Authentication Bypass VLAN on a per-port basis. For voice clients they are authorized in the configured voice vlan.
Inaccessible Authentication Bypass for voice clients can activate in Multiple Domain Authentication and Multiple
Authentication modes, in which authentication is enforced for voice devices.
Note Inaccessible Authentication Bypass allows a voice client to access configured voice VLAN when
RADIUS becomes unavailable. For the voice device to operate properly, it must learn the voice VLAN
ID through other protocols such as CDP, LLDP, or DHCP, wherever appropriate. When a RADIUS server
is unavailable, it may not be possible for a switch to recognize a MAC address as that of a voice device.
Therefore, when Inaccessible Authentication Bypass is configured for voice devices, it should also be
configured for data. Voice devices may be authorized on both critical data and voice VLANs. If port
security is enabled, this may affect the maximum port security entries enforced on the port.
By default, data clients that were already authorized when RADIUS becomes unavailable are unaffected by Inaccessible
Authentication Bypass. To reauthenticate all authorized data clients on the port when RADIUS becomes unavailable, use the
authentication server dead action reinitialize vlan interface configuration command. This command is intended for
multiauthentication mode and is mutually exclusive with the authentication server dead action authorize vlan command.
In multiauthentication mode, you cannot use the authentication server dead action authorize vlan
Note
command to enable Inaccessible Authentication Bypass for data clients; it has no effect. Instead, use the
authentication server dead action reinitialize vlan vlan-id command.
When RADIUS becomes available, critically authorized ports can be configured to automatically reauthenticate themselves.
To properly detect RADIUS server availability, the test username name option should be enabled in the
Note
radius-server host command. For details on how to configure RADIUS server, see the
Switch-to-RADIUS-Server Communication" section on page
Inaccessible Authentication Bypass cannot activate after a port falls back to Web-based authentication. For details on how to
configure Web-based authentication, see
For details on how to configure Inaccessible Authentication Bypass, see
Catalyst 4500 Series Switch, Cisco IOS Software Configuration Guide - Cisco IOS XE 3.9.xE and IOS 15.2(5)Ex
49-14
Chapter 52, "Configuring Web-Based Authentication."
Chapter 49 Configuring 802.1X Port-Based Authentication
Chapter 52, "Configuring Web-Based Authentication."
49-32.
Chapter 52, "Configuring Web-Based
"Configuring
Authentication".