Table of Contents
Advertisement
Understanding How 802.1x Authentication Works
802.1x Parameters Configurable on the Switch
With 802.1x, you can do the following:
•
•
•
•
•
•
•
•
•
•
•
802.1x VLAN Assignment Using a RADIUS Server
In software release 6.3 or earlier releases, once the 802.1x host is authenticated, it joins an
NVRAM-configured VLAN. With software release 7.2(1) and later releases, after authentication, an
802.1x host can receive its VLAN assignment from the RADIUS server.
VLAN assignments allow you to restrict users to a specific VLAN. For example, you could put guest
users in a VLAN with limited access to the network.
802.1x authenticated ports are assigned to a VLAN that is based on the username of the host that is
connected to the port. VLAN assignments work with the RADIUS server, which has a database of
username-to-VLAN mappings.
After a successful 802.1x authentication of the port, the RADIUS server sends the VLAN in which the
user needs to be given access. The 802.1x port behavior with the VLAN assignment is as follows:
•
•
•
•
•
•
•
•
Catalyst 4500 Series, Catalyst 2948G, Catalyst 2948G-GE-TX, and Catalyst 2980G Switches Software Configuration Guide—Release 8.2GLX
31-6
Specify force-authorized port control, force-unauthorized port control, or automatic 802.1x port
control
Enable or disable multiple hosts on a specific port
Enable or disable system authentication control
Specify the quiet time interval
Specify the authenticator to host retransmission time interval
Specify the back-end authenticator to host retransmission time interval
Specify the back-end authenticator to authentication server retransmission time interval
Specify the number of frames that are retransmitted from the back-end authenticator to host
Specify the automatic host reauthentication time interval
Specify the port shutdown timeout period after a security violation
Enable or disable automatic host reauthentication
At linkup, the server places an 802.1x port in its original NVRAM-configured VLAN.
After linkup, the server can put the port in the RADIUS-supplied VLAN if the RADIUS-supplied
VLAN is valid and active in the management domain.
If the port is currently in a different VLAN, the port is moved to the RADIUS-supplied VLAN.
If the RADIUS-supplied VLAN is not active in the management domain, the server puts the port in
an inactive state.
If the RADIUS-supplied VLAN is invalid or there is a problem with the port hardware, the server
moves the port to the 802.1x unauthorized state.
If you enabled the multiple hosts keyword on an 802.1x port, the server places all hosts in the same
RADIUS-supplied VLAN that is received by the first authenticated user.
When an 802.1x-configured module goes down, the server clears all Enhanced Address Recognition
Logic (EARL) entries for 802.1x ports.
When an 802.1x-configured module comes up, the server configures all 802.1x ports in
NVRAM-configured VLANs.
Chapter 31
Configuring 802.1x Authentication
78-15908-01
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
