Filter
Top Products
9-8
Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide
OL-10101-02
Chapter 9 Configuring IEEE 802.1x Port-Based Authentication
Understanding IEEE 802.1x Port-Based Authentication
• Enable IEEE 802.1x authentication (the VLAN assignment feature is automatically enabled when
you configure IEEE 802.1x authentication on an access port).
• Assign vendor-specific tunnel attributes in the RADIUS server. The RADIUS server must return
these attributes to the switch:
–
[64] Tunnel-Type = VLAN
–
[65] Tunnel-Medium-Type = IEEE 802
–
[81] Tunnel-Private-Group-ID = VLAN name or VLAN ID
Attribute [64] must contain the value VLAN (type 13). Attribute [65] must contain the value
IEEE
802 (type 6). Attribute [81] specifies the VLAN name or VLAN ID assigned to the
IEEE
802.1x-authenticated user.
For examples of tunnel attributes, see the “Configuring the Switch to Use Vendor-Specific RADIUS
Attributes” section on page 8-29.
Using IEEE 802.1x Authentication with Guest VLAN
You can configure a guest VLAN for each IEEE 802.1x port on the switch to provide limited services to
clients, such as downloading the IEEE 802.1x client. These clients might be upgrading their system for
IEEE 802.1x authentication, and some hosts, such as Windows 98 systems, might not be
IEEE
802.1x-capable.
When you enable a guest VLAN on an IEEE 802.1x port, the switch assigns clients to a guest VLAN
when the switch does not receive a response to its EAP request/identity frame or when EAPOL packets
are not sent by the client.
Before Cisco IOS Release 12.1(22)EA2, the switch did not maintain the EAPOL packet history and
allowed clients that failed authentication access to the guest VLAN, regardless of whether EAPOL
packets had been detected on the interface. You can enable this behavior by using the dot1x guest-vlan
supplicant global configuration command.
With Cisco IOS Release 12.1(22)EA2 and later, the switch maintains the EAPOL packet history. If an
EAPOL packet is detected on the interface during the lifetime of the link, the switch determines that the
device connected to that interface is an 802.1x-capable supplicant, and the interface does not change to
the guest VLAN state. EAPOL history is cleared if the interface link status goes down. If no EAPOL
packet is detected on the interface, the interface changes to the guest VLAN state.
Note If an EAPOL packet is detected on the wire after the interface has changed to the guest VLAN, the
interface reverts to an unauthorized state, and 802.1x authentication restarts.
Any number of IEEE 802.1x-incapable clients are allowed access when the switch port is moved to the
guest VLAN. If an IEEE 802.1x-capable client joins the same port on which the guest VLAN is
configured, the port is put into the unauthorized state in the user-configured access VLAN, and
authentication is restarted.
Guest VLANs are supported on IEEE 802.1x ports in single-host or multiple-hosts mode.
You can configure any active VLAN except an RSPAN VLAN or a voice VLAN as an IEEE 802.1x guest
VLAN. The guest VLAN feature is not supported on trunk ports; it is supported only on access ports.
For configuration steps, see the “Configuring a Guest VLAN” section on page 9-23.