10-25
Catalyst 3750-E and 3560-E Switch Software Configuration Guide
OL-9775-02
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication
Configuring IEEE 802.1x Authentication
–
You can configure the inaccessible authentication bypass feature and the restricted VLAN on
an IEEE 802.1x port. If the switch tries to re-authenticate a critical port in a restricted VLAN
and all the RADIUS servers are unavailable, switch changes the port state to the critical
authentication state and remains in the restricted VLAN.
–
You can configure the inaccessible bypass feature and port security on the same switch port.
• You can configure any VLAN except an RSPAN VLAN or a voice VLAN as an IEEE 802.1x
restricted VLAN. The restricted VLAN feature is not supported on internal VLANs (routed ports)
or trunk ports; it is supported only on access ports.
MAC Authentication Bypass
These are the MAC authentication bypass configuration guidelines:
• Unless otherwise stated, the MAC authentication bypass guidelines are the same as the IEEE 802.1x
authentication guidelines. For more information, see the “IEEE 802.1x Authentication” section on
page 10-23.
• If you disable MAC authentication bypass from a port after the port has been authorized with its
MAC address, the port state is not affected.
• If the port is in the unauthorized state and the client MAC address is not the authentication-server
database, the port remains in the unauthorized state. However, if the client MAC address is added
to the database, the switch can use MAC authentication bypass to re-authorize the port.
• If the port is in the authorized state, the port remains in this state until re-authorization occurs.
Configuring IEEE 802.1x Authentication
To configure IEEE 802.1x port-based authentication, you must enable authentication, authorization, and
accounting (AAA) and specify the authentication method list. A method list describes the sequence and
authentication method to be queried to authenticate a user.
To allow per-user ACLs or VLAN assignment, you must enable AAA authorization to configure the
switch for all network-related service requests.
This is the IEEE 802.1x AAA process:
Step 1 A user connects to a port on the switch.
Step 2 Authentication is performed.
Step 3 VLAN assignment is enabled, as appropriate, based on the RADIUS server configuration.
Step 4 The switch sends a start message to an accounting server.
Step 5 Re-authentication is performed, as necessary.
Step 6 The switch sends an interim accounting update to the accounting server that is based on the result of
re-authentication.
Step 7 The user disconnects from the port.
Step 8 The switch sends a stop message to the accounting server.
