Filter
Top Products
9-15
Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide
OL-10101-02
Chapter 9 Configuring IEEE 802.1x Port-Based Authentication
Configuring IEEE 802.1x Authentication
client times out and tries to get a host IP address from the DHCP server. Decrease the settings for
the IEEE 802.1x authentication process (dot1x timeout quiet-period and dot1x timeout tx-period
interface configuration commands). The amount to decrease the settings depends on the connected
IEEE 802.1x client type.
• When a PC is attached to a switch through a hub, is authenticated on an IEEE 802.1x multiple-hosts
port, is moved to another port, and is then attached through another hub, the switch does not
authenticate the PC. The workaround is to decrease the number of seconds between
re-authentication attempts by entering the dot1x timeout reauth-period seconds interface
configuration command.
• You can configure any VLAN except an RSPAN VLAN or a voice VLAN as an IEEE 802.1x
authentication restricted VLAN. The restricted VLAN feature is not supported on trunk ports; it is
supported only on access ports.
Upgrading from a Previous Software Release
In Cisco IOS Release 12.1(14)EA1, the implementation for IEEE 802.1x authentication changed from
the previous release. Some global configuration commands became interface configuration commands,
and new commands were added.
If you have IEEE 802.1x authentication configured on the switch and you upgrade to Cisco IOS
Release
12.1(14)EA1 or later, the configuration file will not contain the new commands, and
IEEE
802.1x authentication will not operate. After the upgrade is complete, make sure to globally enable
IEEE 802.1x authentication by using the dot1x system-auth-control global configuration command. If
IEEE 802.1x authentication was running in multiple-hosts mode on an interface in the previous release,
make sure to reconfigure it by using the dot1x host-mode multi-host interface configuration command.
Configuring IEEE 802.1x Authentication
To configure IEEE 802.1x port-based authentication, you must enable AAA and specify the
authentication method list. A method list describes the sequence and authentication methods to be
queried to authenticate a user.
The software uses the first method listed to authenticate users. If that method fails to respond, the
software selects the next authentication method in the method list. This process continues until there is
successful communication with a listed authentication method or until all defined methods are
exhausted. If authentication fails at any point in this cycle, the authentication process stops, and no other
authentication methods are attempted.
To allow VLAN assignment, you must enable AAA authorization to configure the switch for all
network-related service requests.
This is the IEEE 802.1x AAA process:
Step 1 A user connects to a port on the switch.
Step 2 Authentication is performed.
Step 3 VLAN assignment is enabled, as appropriate, based on the RADIUS server configuration.
Step 4 The switch sends a start message to an accounting server.
Step 5 Re-authentication is performed, as necessary.