Using Ieee 802.1X Authentication With Guest Vlan - Cisco 3020 - Catalyst Blade Switch Configuration Manual

Understanding IEEE 802.1x Port-Based Authentication
The maximum size of the per-user ACL is 4000 ASCII characters but is limited by the maximum size of
RADIUS-server per-user ACLs.
For examples of vendor-specific attributes, see the
RADIUS Attributes" section on page
Chapter 26, "Configuring Network Security with ACLs."
To configure per-user ACLs, you need to perform these tasks:
•
•
•
•
•

Using IEEE 802.1x Authentication with Guest VLAN

You can configure a guest VLAN for each IEEE 802.1x port on the switch to provide limited services to
clients, such as downloading the IEEE 802.1x client. These clients might be upgrading their system for
IEEE 802.1x authentication, and some hosts, such as Windows 98 systems, might not be
IEEE 802.1x-capable.
When you enable a guest VLAN on an IEEE 802.1x port, the switch assigns clients to a guest VLAN
when the switch does not receive a response to its EAP request/identity frame or when EAPOL packets
are not sent by the client.
The switch maintains the EAPOL packet history. If an EAPOL packet is detected on the interface during
the lifetime of the link, the switch determines that the device connected to that interface is an
IEEE 802.1x-capable supplicant, and the interface does not change to the guest VLAN state. EAPOL
history is cleared if the interface link status goes down. If no EAPOL packet is detected on the interface,
the interface changes to the guest VLAN state.
If devices send EAPOL packets to the switch during the lifetime of the link, the switch does not allow
clients that fail authentication access to the guest VLAN.
Note If an EAPOL packet is detected after the interface has changed to the guest VLAN, the interface reverts
to an unauthorized state, and IEEE 802.1x authentication restarts.
Any number of IEEE 802.1x-incapable clients are allowed access when the switch port is moved to the
guest VLAN. If an IEEE 802.1x-capable client joins the same port on which the guest VLAN is
configured, the port is put into the unauthorized state in the user-configured access VLAN, and
authentication is restarted.
Guest VLANs are supported on IEEE 802.1x ports in single-host or multiple-hosts mode.
You can configure any active VLAN except an RSPAN VLAN or a voice VLAN as an IEEE 802.1x guest
VLAN. The guest VLAN feature is not supported on trunk ports; it is supported only on access ports.
The switch supports MAC authentication bypass in Cisco IOS Release 12.2(25)SEE and later. When
MAC authentication bypass is enabled on an IEEE 802.1x port, the switch can authorize clients based
on the client MAC address when IEEE 802.1x authentication times out while waiting for an EAPOL
message exchange. After detecting a client on an IEEE 802.1x port, the switch waits for an Ethernet
packet from the client. The switch sends the authentication server a RADIUS-access/request frame with
Cisco Catalyst Blade Switch 3020 for HP Software Configuration Guide
7-12
Enable AAA authentication.
Enable AAA authorization by using the network keyword to allow interface configuration from the
RADIUS server.
Enable IEEE 802.1x authentication.
Configure the user profile and VSAs on the RADIUS server.
Configure the IEEE 802.1x port for single-host mode.
Chapter 7 Configuring IEEE 802.1x Port-Based Authentication
"Configuring the Switch to Use Vendor-Specific
6-29. For more information about configuring ACLs, see
OL-8915-01