Cisco IE-4000 Software Configuration Manual page 214

Configuring IEEE 802.1x Port-Based Authentication
Information About Configuring IEEE 802.1x Port-Based Authentication
802.1x Authentication with MAC Authentication Bypass
You can configure the switch to authorize clients based on the client MAC address (see
the MAC authentication bypass feature. For example, you can enable this feature on 802.1x ports connected to devices
such as printers.
If 802.1x authentication times out while waiting for an EAPOL response from the client, the switch tries to authorize the
client by using MAC authentication bypass.
When the MAC authentication bypass feature is enabled on an 802.1x port, the switch uses the MAC address as the
client identity. The authentication server has a database of client MAC addresses that are allowed network access. After
detecting a client on an 802.1x port, the switch waits for an Ethernet packet from the client. The switch sends the
authentication server a RADIUS-access/request frame with a username and password based on the MAC address. If
authorization succeeds, the switch grants the client access to the network. If authorization fails, the switch assigns the
port to the guest VLAN if one is configured.
If an EAPOL packet is detected on the interface during the lifetime of the link, the switch determines that the device
connected to that interface is an 802.1x-capable supplicant and uses 802.1x authentication (not MAC authentication
bypass) to authorize the interface. EAPOL history is cleared if the interface link status goes down.
If the switch already authorized a port by using MAC authentication bypass and detects an 802.1x supplicant, the switch
does not unauthorize the client connected to the port. When reauthentication occurs, the switch uses 802.1x
authentication as the preferred reauthentication process if the previous session ended because the Termination-Action
RADIUS attribute value is DEFAULT.
Clients that were authorized with MAC authentication bypass can be reauthenticated. The reauthentication process is the
same as that for clients that were authenticated with 802.1x. During reauthentication, the port remains in the previously
assigned VLAN. If reauthentication is successful, the switch keeps the port in the same VLAN. If reauthentication fails,
the switch assigns the port to the guest VLAN, if one is configured.
If reauthentication is based on the Session-Timeout RADIUS attribute (Attribute[27]) and the Termination-Action RADIUS
attribute (Attribute [29]) and if the Termination-Action RADIUS attribute (Attribute [29]) action is Initialize, (the attribute
value is DEFAULT), the MAC authentication bypass session ends, and connectivity is lost during reauthentication. If MAC
authentication bypass is enabled and the 802.1x authentication times out, the switch uses the MAC authentication
bypass feature to initiate reauthorization. For more information about these AV pairs, see RFC 3580, "802.1X Remote
Authentication Dial In User Service (RADIUS) Usage Guidelines."
MAC authentication bypass interacts with the features:

802.1x authentication—You can enable MAC authentication bypass only if 802.1x authentication is enabled on the
port.

Guest VLAN—If a client has an invalid MAC address identity, the switch assigns the client to a guest VLAN if one is
configured.

Restricted VLAN—This feature is not supported when the client connected to an 802.lx port is authenticated with
MAC authentication bypass.

Port security—See

Voice VLAN—See

VLAN Membership Policy Server (VMPS)—802.1x and VMPS are mutually exclusive.

Private VLAN—You can assign a client to a private VLAN.

Network admission control (NAC) Layer 2 IP validation—This feature takes effect after an 802.1x port is authenticated
with MAC authentication bypass, including hosts in the exception list.

Network Edge Access Topology (NEAT)—MAB and NEAT are mutually exclusive. You cannot enable MAB when NEAT
is enabled on an interface, and you cannot enable NEAT when MAB is enabled on an interface.
802.1x Authentication with Port Security, page
802.1x Authentication with Voice VLAN Ports, page
209.
209.
210
Figure 19 on page 191) by using