Table of Contents
Advertisement
Understanding How 802.1x Authentication Works
Using 802.1x Authentication on Ports Configured for Auxiliary VLAN Traffic
Because IP phones do not have host PAE capability, when auxiliary VLAN-tagged packets are received
on a port that is configured for 802.1x authentication, they are forwarded as authorized traffic. Ports that
are configured for 8021x authentication must be in single-host authentication mode to forward auxiliary
VLAN-tagged packets.
Using 802.1x Authentication for Guest VLANs
Guest VLANs allow users who do not have 802.1x-compatible workstations to be able to access
networks that use 802.1x authentication. You can also use guest VLANs while upgrading systems to
support 802.1x authentication.
When you configure an active VLAN on the switch as a 802.1x guest VLAN, guest users are put in this
VLAN and allowed access until an 802.1x authentication occurs. Any VLAN can be configured as a
guest VLAN, except private VLANs, auxiliary VLANs, and RSPAN VLANs.
When you enable 802.1x authentication on a port, the 802.1x protocol starts. If the host fails to respond
to the packets from the authenticator within a certain amount of time, the authenticator puts the port in
the guest VLAN.
The network administrator can configure a guest VLAN on a per-port basis. Typically, guest VLANs
support minimal services and provide minimal network access. A VLAN does not have to be active to
be configured as a guest VLAN, but it must be active before a host can use it. Hosts are assigned to the
guest VLAN only when the set port dot1x mod/port port-control auto keyword is used. Changing the
set port dot1x mod/port port-control keyword from auto to force-authorized or force-unauthorized,
removes the host from the guest VLAN and returns the host to the port VLAN.
Guest VLANs are supported in both single-authentication and multiple-host mode.
Note
Guest VLANs are limited to the local switch and are not propagated through VTP.
Guidelines for Guest VLANs on Windows-XP Hosts
The guidelines for using 802.1x authentication with guest VLANs on Windows-XP hosts are as follows:
•
•
•
Catalyst 4500 Series, Catalyst 2948G, Catalyst 2948G-GE-TX, and Catalyst 2980G Switches Software Configuration Guide—Release 8.2GLX
31-8
If the host fails to respond to the authenticator, the port remains in the connecting state for
180 seconds. After this time, the login/password window does not appear on the host. The
workaround is to have the user unplug and then reconnect their network interface cable.
Hosts that respond with an incorrect login/password fail authentication and are not put in the guest
VLAN. The first time that a host fails authentication, the quiet-period timer starts and no activity
occurs during the quiet-period time. When the quiet-period time expires, the host is presented with
the login/password window. If the host fails authentication the second time, the quiet-period timer
starts again and no activity occurs during the quiet-period time. The host is presented with the
login/password window a third time. If the host fails authentication the third time, the port is put in
the connecting and unauthorized states. The workaround is to have the user unplug and then
reconnect the network interface cable.
If a host does not respond to the username and password authentication requests from the
Authenticator PAE, it is placed in a guest VLAN.
Chapter 31
Configuring 802.1x Authentication
78-15908-01
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
