9-26
Cisco Catalyst Switch Module 3110 and 3012 for IBM BladeCenter Software Configuration Guide
OL-12189-01
Chapter 9 Configuring IEEE 802.1x Port-Based Authentication
Configuring IEEE 802.1x Authentication
the IEEE 802.1x authentication process (dot1x timeout quiet-period and dot1x timeout tx-period
interface configuration commands). The amount to decrease the settings depends on the connected
IEEE 802.1x client type.
• When configuring the inaccessible authentication bypass feature, follow these guidelines:
–
The feature is supported on IEEE 802.1x port in single-host mode and multihosts mode.
–
If the client is running Windows XP and the port to which the client is connected is in the
critical-authentication state, Windows XP might report that the interface is not authenticated.
–
If the Windows XP client is configured for DHCP and has an IP address from the DHCP server,
receiving an EAP-Success message on a critical port might not re-initiate the DHCP
configuration process.
–
You can configure the inaccessible authentication bypass feature and the restricted VLAN on
an IEEE 802.1x port. If the switch tries to re-authenticate a critical port in a restricted VLAN
and all the RADIUS servers are unavailable, switch changes the port state to the critical
authentication state and remains in the restricted VLAN.
–
You can configure the inaccessible bypass feature and port security on the same switch port.
• You can configure any VLAN except an RSPAN VLAN or a voice VLAN as an IEEE 802.1x
restricted VLAN. The restricted VLAN feature is not supported on internal VLANs (routed ports)
or trunk ports; it is supported only on access ports.
MAC Authentication Bypass
These are the MAC authentication bypass configuration guidelines:
• Unless otherwise stated, the MAC authentication bypass guidelines are the same as the IEEE 802.1x
authentication guidelines. For more information, see the “IEEE 802.1x Authentication” section on
page 9-24.
• If you disable MAC authentication bypass from a port after the port has been authorized with its
MAC address, the port state is not affected.
• If the port is in the unauthorized state and the client MAC address is not the authentication-server
database, the port remains in the unauthorized state. However, if the client MAC address is added to
the database, the switch can use MAC authentication bypass to re-authorize the port.
• If the port is in the authorized state, the port remains in this state until re-authorization occurs.
Configuring IEEE 802.1x Authentication
To configure IEEE 802.1x port-based authentication, you must enable authentication, authorization, and
accounting (AAA) and specify the authentication method list. A method list describes the sequence and
authentication method to be queried to authenticate a user.
To allow per-user ACLs or VLAN assignment, you must enable AAA authorization to configure the
switch for all network-related service requests.
This is the IEEE 802.1x AAA process:
Step 1 A user connects to a port on the switch.
Step 2 Authentication is performed.
Step 3 VLAN assignment is enabled, as appropriate, based on the RADIUS server configuration.
