Inaccessible Authentication Bypass Authentication Results; Inaccessible Authentication Bypass Feature Interactions - Cisco Catalyst 2960-X Security Configuration Manual

802.1x Authentication with Inaccessible Authentication Bypass

Inaccessible Authentication Bypass Authentication Results

The behavior of the inaccessible authentication bypass feature depends on the authorization state of the port:
• If the port is unauthorized when a host connected to a critical port tries to authenticate and all servers
are unavailable, the switch puts the port in the critical-authentication state in the RADIUS-configured
or user-specified access VLAN.
• If the port is already authorized and reauthentication occurs, the switch puts the critical port in the
critical-authentication state in the current VLAN, which might be the one previously assigned by the
RADIUS server.
• If the RADIUS server becomes unavailable during an authentication exchange, the current exchange
times out, and the switch puts the critical port in the critical-authentication state during the next
authentication attempt.
You can configure the critical port to reinitialize hosts and move them out of the critical VLAN when the
RADIUS server is again available. When this is configured, all critical ports in the critical-authentication state
are automatically re-authenticated.

Inaccessible Authentication Bypass Feature Interactions

Inaccessible authentication bypass interacts with these features:
• Guest VLAN—Inaccessible authentication bypass is compatible with guest VLAN. When a guest VLAN
is enabled on 8021.x port, the features interact as follows:
• Restricted VLAN—If the port is already authorized in a restricted VLAN and the RADIUS servers are
unavailable, the switch puts the critical port in the critical-authentication state in the restricted VLAN.
• 802.1x accounting—Accounting is not affected if the RADIUS servers are unavailable.
• Private VLAN—You can configure inaccessible authentication bypass on a private VLAN host port.
The access VLAN must be a secondary private VLAN.
• Voice VLAN—Inaccessible authentication bypass is compatible with voice VLAN, but the
RADIUS-configured or user-specified access VLAN and the voice VLAN must be different.
• Remote Switched Port Analyzer (RSPAN)—Do not configure an RSPAN VLAN as the
RADIUS-configured or user-specified access VLAN for inaccessible authentication bypass.
Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX
286
◦ If at least one RADIUS server is available, the switch assigns a client to a guest VLAN when the
switch does not receive a response to its EAP request/identity frame or when EAPOL packets are
not sent by the client.
◦ If all the RADIUS servers are not available and the client is connected to a critical port, the switch
authenticates the client and puts the critical port in the critical-authentication state in the
RADIUS-configured or user-specified access VLAN.
◦ If all the RADIUS servers are not available and the client is not connected to a critical port, the
switch might not assign clients to the guest VLAN if one is configured.
◦ If all the RADIUS servers are not available and if a client is connected to a critical port and was
previously assigned to a guest VLAN, the switch keeps the port in the guest VLAN.
Configuring IEEE 802.1x Port-Based Authentication
OL-29048-01