Using 802.1X With Guest Vlan - Cisco Catalyst 3550 series Software Configuration Manual
Multilayer switch
Hide thumbs
Also See for Catalyst 3550 series:
- Reference manual (58 pages) ,
- Datasheet (21 pages) ,
- Manual (19 pages)
Table of Contents
Advertisement
Chapter 9
Configuring 802.1X Port-Based Authentication
•
•
•
•
•
•
•
To configure VLAN assignment you need to perform these tasks:
•
•
•
For examples of tunnel attributes, see the
Attributes" section on page
Using 802.1X with Guest VLAN
You can configure a guest VLAN for each 802.1X port on the switch to provide limited services to clients
(for example, how to download the 802.1X client). These clients might be upgrading their system for
802.1X authentication, and some hosts, such as Windows 98 systems, might not be 802.1X-capable.
When the authentication server does not receive a response to its EAPOL request/identity frame, clients
that are not 802.1X-capable are put into the guest VLAN for the port, if one is configured. However, the
server does not grant 802.1X-capable clients that fail authentication access to the network. Any number
of hosts are allowed access once the switch port is moved to the guest VLAN. If an 802.1X-capable host
joins the same port on which the guest VLAN is configured, the port is put into the unauthorized state
in the user-configured access VLAN, and authentication is restarted.
Guest VLANs are supported on 802.1X ports in single-host and multiple-hosts modes.
You can configure any VLAN, except RSPAN VLANs or voice VLAN IDs (VVIDs), as an 802.1X guest
VLAN. The guest VLAN feature is not supported on internal VLANs (routed ports) or trunk ports; it is
supported only on access ports.
For configuration steps, see the
78-11194-09
If 802.1X authorization is enabled and all information from the RADIUS server is valid, the port is
placed in the specified VLAN after authentication.
If the multiple-hosts mode is enabled on an 802.1X port, all hosts are placed in the same VLAN
(specified by the RADIUS server) as the first authenticated host.
If port security is enabled on an 802.1X port with VLAN assignment, the port is placed in the
RADIUS server assigned VLAN.
If 802.1X is disabled on the port, it is returned to the configured access VLAN.
When the port is in the force authorized, force unauthorized, unauthorized, or shutdown state, it is
placed in the configured access VLAN.
If an 802.1X port is authenticated and put in the RADIUS server assigned VLAN, any change to the
port access VLAN configuration does not take effect.
The 802.1X with VLAN assignment feature is not supported on trunk ports, dynamic ports, or with
dynamic-access port assignment through a VLAN Membership Policy Server (VMPS).
Enable AAA authorization.
Enable 802.1X (the VLAN assignment feature is automatically enabled when you configure 802.1X
on an access port).
Assign vendor-specific tunnel attributes in the RADIUS server. The RADIUS server must return
these attributes to the switch:
–
[64] Tunnel-Type = VLAN
–
[65] Tunnel-Medium-Type = 802
–
[81] Tunnel-Private-Group-ID = VLAN name or VLAN ID
Attribute [64] must contain the value VLAN (type 13). Attribute [65] must contain the value 802
(type 6). Attribute [81] specifies the VLAN name or VLAN ID assigned to the 802.1X-authenticated
user.
8-29.
"Configuring the Switch to Use Vendor-Specific RADIUS
"Configuring a Guest VLAN" section on page
Catalyst 3550 Multilayer Switch Software Configuration Guide
Understanding 802.1X Port-Based Authentication
9-17.
9-7
Advertisement
Table of Contents
Troubleshooting
