Inaccessible Authentication Bypass Feature Interactions - Cisco Catalyst 2960-XR Security Configuration Manual

Configuring IEEE 802.1x Port-Based Authentication
• If the RADIUS server becomes unavailable during an authentication exchange, the current exchange
times out, and the switch puts the critical port in the critical-authentication state during the next
authentication attempt.
You can configure the critical port to reinitialize hosts and move them out of the critical VLAN when the
RADIUS server is again available. When this is configured, all critical ports in the critical-authentication state
are automatically re-authenticated.

Inaccessible Authentication Bypass Feature Interactions

Inaccessible authentication bypass interacts with these features:
• Guest VLAN—Inaccessible authentication bypass is compatible with guest VLAN. When a guest VLAN
is enabled on 8021.x port, the features interact as follows:
• Restricted VLAN—If the port is already authorized in a restricted VLAN and the RADIUS servers are
unavailable, the switch puts the critical port in the critical-authentication state in the restricted VLAN.
• 802.1x accounting—Accounting is not affected if the RADIUS servers are unavailable.
•
• Voice VLAN—Inaccessible authentication bypass is compatible with voice VLAN, but the
RADIUS-configured or user-specified access VLAN and the voice VLAN must be different.
• Remote Switched Port Analyzer (RSPAN)—Do not configure an RSPAN VLAN as the
RADIUS-configured or user-specified access VLAN for inaccessible authentication bypass.
In a switch stack, the stack master checks the status of the RADIUS servers by sending keepalive packets.
When the status of a RADIUS server changes, the stack master sends the information to the stack members.
The stack members can then check the status of RADIUS servers when re-authenticating critical ports.
If the new stack master is elected, the link between the switch stack and RADIUS server might change, and
the new stack immediately sends keepalive packets to update the status of the RADIUS servers. If the server
status changes from dead to alive, the switch re-authenticates all switch ports in the critical-authentication
state.
When a member is added to the stack, the stack master sends the member the server status.
OL-29434-01
◦ If at least one RADIUS server is available, the switch assigns a client to a guest VLAN when the
switch does not receive a response to its EAP request/identity frame or when EAPOL packets are
not sent by the client.
◦ If all the RADIUS servers are not available and the client is connected to a critical port, the switch
authenticates the client and puts the critical port in the critical-authentication state in the
RADIUS-configured or user-specified access VLAN.
◦ If all the RADIUS servers are not available and the client is not connected to a critical port, the
switch might not assign clients to the guest VLAN if one is configured.
◦ If all the RADIUS servers are not available and if a client is connected to a critical port and was
previously assigned to a guest VLAN, the switch keeps the port in the guest VLAN.
Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1
802.1x Authentication with Inaccessible Authentication Bypass
235