Port-Based Authentication Process - Cisco Catalyst 2960-X Security Configuration Manual
Cisco ios release 15.0(2)ex
Hide thumbs
Also See for Catalyst 2960-X:
- Command reference manual (135 pages) ,
- Hardware installation manual (34 pages) ,
- Getting started manual (25 pages)
Table of Contents
Advertisement
Port-Based Authentication Process
TACACS is not supported with 802.1x authentication.
Note
Until the client is authenticated, 802.1x access control allows only Extensible Authentication Protocol over
LAN (EAPOL), Cisco Discovery Protocol (CDP), and Spanning Tree Protocol (STP) traffic through the port
to which the client is connected. After authentication is successful, normal traffic can pass through the port.
Note
For complete syntax and usage information for the commands used in this chapter, see the "RADIUS
Commands" section in the Cisco IOS Security Command Reference, Release 3SE
Port-Based Authentication Process
To configure IEEE 802.1X port-based authentication, you must enable authentication, authorization, and
accounting (AAA) and specify the authentication method list. A method list describes the sequence and
authentication method to be queried to authenticate a user.
The AAA process begins with authentication. When 802.1x port-based authentication is enabled and the client
supports 802.1x-compliant client software, these events occur:
• If the client identity is valid and the 802.1x authentication succeeds, the switch grants the client access
• If 802.1x authentication times out while waiting for an EAPOL message exchange and MAC
• If the switch gets an invalid identity from an 802.1x-capable client and a restricted VLAN is specified,
• If the RADIUS authentication server is unavailable (down) and inaccessible authentication bypass is
If Multi Domain Authentication (MDA) is enabled on a port, this flow can be used with some exceptions that
are applicable to voice authorization.
Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX
264
to the network.
authentication bypass is enabled, the switch can use the client MAC address for authorization. If the
client MAC address is valid and the authorization succeeds, the switch grants the client access to the
network. If the client MAC address is invalid and the authorization fails, the switch assigns the client
to a guest VLAN that provides limited services if a guest VLAN is configured.
the switch can assign the client to a restricted VLAN that provides limited services.
enabled, the switch grants the client access to the network by putting the port in the critical-authentication
state in the RADIUS-configured or the user-specified access VLAN.
Inaccessible authentication bypass is also referred to as critical authentication or the
Note
AAA fail policy.
Configuring IEEE 802.1x Port-Based Authentication
OL-29048-01
Hide quick links:
Advertisement
Table of Contents
