Cisco IE-3000-8TC Software Configuration Manual page 234

Understanding IEEE 802.1x Port-Based Authentication
Figure 12-2
Figure 12-2
Assign the port to
a restricted VLAN.
The switch re-authenticates a client when one of these situations occurs:
• Periodic re-authentication is enabled, and the re-authentication timer expires.
You can configure the re-authentication timer to use a switch-specific value or to be based on values
from the RADIUS server.
After 802.1x authentication using a RADIUS server is configured, the switch uses timers based on
the Session-Timeout RADIUS attribute (Attribute[27]) and the Termination-Action RADIUS
attribute (Attribute [29]).
The Session-Timeout RADIUS attribute (Attribute[27]) specifies the time after which
re-authentication occurs.
Cisco IE 3000 Switch Software Configuration Guide
12-4
shows the authentication process.
Authentication Flowchart
Start
Is the client IEEE
802.1x capable?
Yes
Start IEEE 802.1x port-based
authentication.
Client Client
identity is identity is
invalid valid
Assign the port to
a VLAN.
Done Done
All authentication
servers are down.
Use inaccessible
authentication bypass
(critical authentication)
to assign the critical
port to a VLAN.
Done
Chapter 12 Configuring IEEE 802.1x Port-Based Authentication
No
IEEE 802.1x authentication
process times out.
The switch gets an
EAPOL message,
and the EAPOL
message
exchange begins.
Use MAC authentication
Assign the port to
All authentication
servers are down.
1 = This occurs if the switch does not detect EAPOL packets from the client.
Is MAC authentication
bypass enabled?
Yes
1
bypass.
Client MAC Client MAC
address address
identity identity
is valid. is invalid.
Assign the port to
a VLAN. a guest VLAN.
Done Done
1
No
1
OL-13018-03