Cisco Catalyst 3120 Software Manual page 226

Understanding IEEE 802.1x Port-Based Authentication
Figure 9-2
If Multi Domain Authentication (MDA) is enabled on a port, this flow can be used with some exceptions
that are applicable to voice authorization. For more information on MDA, see
Authentication" section on page
Figure 9-2 Authentication Flowchart
Start
Is the client IEEE
802.1x capable?
Yes
Start IEEE 802.1x port-based
authentication.
Client
identity is
invalid
Assign the port to Assign the port to
a restricted VLAN.
Done
All authentication
servers are down.
Use inaccessible
authentication bypass
(critical authentication)
to assign the critical
port to a VLAN.
Done
The switch re-authenticates a client when one of these situations occurs:
•
Cisco Catalyst Blade Switch 3120 for HP Software Configuration Guide
9-4
shows the authentication process.
No
IEEE 802.1x authentication
process times out.
The switch gets an
EAPOL message,
and the EAPOL
message
exchange begins.
Client
identity is
valid
a VLAN.
Done
1 = This occurs if the switch does not detect EAPOL packets from the client.
Periodic re-authentication is enabled, and the re-authentication timer expires.
You can configure the re-authentication timer to use a switch-specific value or to be based on values
from the RADIUS server.
After IEEE 802.1x authentication using a RADIUS server is configured, the switch uses timers
based on the Session-Timeout RADIUS attribute (Attribute[27]) and the Termination-Action
RADIUS attribute (Attribute [29]).
Chapter 9
9-20.
Is MAC authentication
bypass enabled?
Yes
Use MAC authentication
1
bypass.
Client MAC
address
identity
is valid.
Assign the port to
a VLAN.
Done
All authentication
servers are down.
Configuring IEEE 802.1x Port-Based Authentication
"Using Multidomain
1
No
Client MAC
address
identity
is invalid.
Assign the port to
1
a guest VLAN.
Done
OL-12247-01