Usage Guidelines For Using Authentication Failed Vlan Assignment - Cisco Catalyst 4500 Series Software Configuration Manual

Chapter 49 Configuring 802.1X Port-Based Authentication
When enabling periodic reauthentication (see the
Note
page
assign the reauthentication timer value.
You can set the maximum number of authentication attempts that the authenticator sends before moving a port into the
authentication-failed VLAN. The authenticator keeps a count of the failed authentication attempts for each port. A failed
authentication attempt is either an empty response or an EAP failure. The authenticator tracks any mix of failed authentication
attempts towards the authentication attempt count. After the maximum number of attempts is reached the port is placed in the
authentication-failed VLAN until the reauthentication timer expires again.
RADIUS can send a response without an EAP packet in it when it does not support EAP, and sometimes
Note
third-party RADIUS servers also send empty responses. When this behavior occurs, the authentication
attempt counter is incremented.
For details on how to configure Authentication Failed VLAN Assignment, see the
Failed" section on page 49-71.

Usage Guidelines for Using Authentication Failed VLAN Assignment

Usage guidelines include the following:
You should enable reauthentication. The ports in authentication-failed VLANs do not receive reauthentication attempts if
•
reauthentication is disabled. To start the reauthentication process the authentication-failed VLAN must receive a link-down
event or an EAP logoff event from the port. If the host is behind a hub, you may never get a link-down event and may not
detect the new host until the next reauthentication occurs.
EAP failure messages are not sent to the user. If the user failures authentication the port is moved to an
•
authentication-failed VLAN and a EAP success message is sent to the user. Because the user is not notified of the
authentication failure there may be confusion as to why there is restricted access to the network. A EAP Success message
is sent for the following reasons:
If the EAP Success message is not sent, the user tries to authenticate every 60 seconds (by default) by sending an
–
EAP-start message.
In some cases, users have configured DHCP to EAP-Success and unless the user sees a success, DHCP does not work
–
on the port.
Sometimes a user caches an incorrect username and password combination after receiving a EAP success message from
•
the authenticator and reuses that information in every reauthentication. Until the user passes the correct username and
password combination the port remains in the authentication-failed VLAN.
When an authentication failed port is moved to an unauthorized state the authentication process is restarted. If you should
•
fail the authentication process again the authenticator waits in the held state. After you have correctly reauthenticated all
802.1X ports are reinitialized and treated as normal 802.1X ports.
• When you reconfigure an authentication-failed VLAN to a different VLAN, any authentication failed ports are also moved
and the ports stay in their current authorized state.
• When you shut down or remove an authentication-failed VLAN from the VLAN database, any authentication failed ports
are immediately moved to an unauthorized state and the authentication process is restarted. The authenticator does not wait
in a held state because the authentication-failed VLAN configuration still exists. While the authentication-failed VLAN is
inactive, all authentication attempts are counted, and as soon as the VLAN becomes active the port is placed in the
authentication-failed VLAN.
49-81), only local reauthentication timer values are allowed. You cannot use a RADIUS server to
Catalyst 4500 Series Switch, Cisco IOS Software Configuration Guide - Cisco IOS XE 3.9.xE and IOS 15.2(5)Ex
About 802.1X Port-Based Authentication
"Enabling Periodic Reauthentication" section on
"Configuring 802.1X with Authentication
49-17