Cisco WS-C3560-48PS-S Software Configuration Manual page 203

Chapter 9 Configuring 802.1X Port-Based Authentication
When configured on the switch and the RADIUS server, 802.1X with VLAN assignment has these
characteristics:
• If no VLAN is supplied by the RADIUS server or if 802.1X authorization is disabled, the port is
configured in its access VLAN after successful authentication.
• If 802.1X authorization is enabled but the VLAN information from the RADIUS server is not valid,
the port returns to the unauthorized state and remains in the configured access VLAN. This prevents
ports from appearing unexpectedly in an inappropriate VLAN because of a configuration error.
Configuration errors could include specifying a malformed VLAN ID, a nonexistent VLAN ID, or
an attempted assignment to a voice VLAN ID.
If 802.1X authorization is enabled and all information from the RADIUS server is valid, the port is
•
placed in the specified VLAN after authentication.
If the multiple-hosts mode is enabled on an 802.1X port, all hosts are placed in the same VLAN
•
(specified by the RADIUS server) as the first authenticated host.
If 802.1X and port security are enabled on a port, the port is placed in RADIUS server assigned
•
VLAN.
If 802.1X is disabled on the port, it is returned to the configured access VLAN.
•
When the port is in the force authorized, force unauthorized, unauthorized, or shutdown state, it is put
into the configured access VLAN.
If an 802.1X port is authenticated and put in the RADIUS server assigned VLAN, any change to the port
access VLAN configuration does not take effect.
The 802.1X with VLAN assignment feature is not supported on trunk ports, dynamic ports, or with
dynamic-access port assignment through a VLAN Membership Policy Server (VMPS).
To configure VLAN assignment you need to perform these tasks:
• Enable AAA authorization by using the network keyword to allow interface configuration from the
RADIUS server.
Enable 802.1X. (The VLAN assignment feature is automatically enabled when you configure
•
802.1X on an access port).
Assign vendor-specific tunnel attributes in the RADIUS server. The RADIUS server must return
•
these attributes to the switch:
–
–
–
Attribute [64] must contain the value VLAN (type 13). Attribute [65] must contain the value 802
(type 6). Attribute [81] specifies the VLAN name or VLAN ID assigned to the 802.1X-authenticated
user.
For examples of tunnel attributes, see the
Attributes" section on page
78-16156-01
[64] Tunnel-Type = VLAN
[65] Tunnel-Medium-Type = 802
[81] Tunnel-Private-Group-ID = VLAN name or VLAN ID
8-29.
Understanding 802.1X Port-Based Authentication
"Configuring the Switch to Use Vendor-Specific RADIUS
Catalyst 3560 Switch Software Configuration Guide
9-7