Authentication Manager For Port-Based Authentication - Cisco Catalyst 2960-XR Security Configuration Manual

Configuring IEEE 802.1x Port-Based Authentication

Authentication Manager for Port-Based Authentication

If 802.1x authentication times out while waiting for an EAPOL message exchange and MAC authentication
bypass is enabled, the switch can authorize the client when the switch detects an Ethernet packet from the
client. The switch uses the MAC address of the client as its identity and includes this information in the
RADIUS-access/request frame that is sent to the RADIUS server. After the server sends the switch the
RADIUS-access/accept frame (authorization is successful), the port becomes authorized. If authorization fails
and a guest VLAN is specified, the switch assigns the port to the guest VLAN. If the switch detects an EAPOL
packet while waiting for an Ethernet packet, the switch stops the MAC authentication bypass process and
starts 802.1x authentication.
This figure shows the message exchange during MAC authentication bypass.
Figure 19: Message Exchange During MAC Authentication Bypass
Authentication Manager for Port-Based Authentication
In Cisco IOS Release 12.2(46)SE and earlier, you could not use the same authorization methods, including
CLI commands and messages, on this switch and also on other network devices, such as a Catalyst 6000. You
had to use separate authentication configurations. Cisco IOS Release 12.2(50)SE and later supports the same
authorization methods on all Catalyst switches in a network.
Cisco IOS Release 12.2(55)SE supports filtering verbose system messages from the authentication manager.
Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1
OL-29434-01 217