Port-Based Authentication Process - Cisco Catalyst 2960-XR Security Configuration Manual

Port-Based Authentication Process

For complete syntax and usage information for the commands used in this chapter, see the "RADIUS
Note
Commands" section in the Cisco IOS Security Command Reference, Release 12.4 and the command
reference for this release.
Port-Based Authentication Process
When 802.1x port-based authentication is enabled and the client supports 802.1x-compliant client software,
these events occur:
• If the client identity is valid and the 802.1x authentication succeeds, the switch grants the client access
• If 802.1x authentication times out while waiting for an EAPOL message exchange and MAC
• If the switch gets an invalid identity from an 802.1x-capable client and a restricted VLAN is specified,
• If the RADIUS authentication server is unavailable (down) and inaccessible authentication bypass is
If Multi Domain Authentication (MDA) is enabled on a port, this flow can be used with some exceptions that
are applicable to voice authorization.
Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1
214
to the network.
authentication bypass is enabled, the switch can use the client MAC address for authorization. If the
client MAC address is valid and the authorization succeeds, the switch grants the client access to the
network. If the client MAC address is invalid and the authorization fails, the switch assigns the client
to a guest VLAN that provides limited services if a guest VLAN is configured.
the switch can assign the client to a restricted VLAN that provides limited services.
enabled, the switch grants the client access to the network by putting the port in the critical-authentication
state in the RADIUS-configured or the user-specified access VLAN.
Note Inaccessible authentication bypass is also referred to as critical authentication or the
AAA fail policy.
Configuring IEEE 802.1x Port-Based Authentication
OL-29434-01