Filter
Top Products
9-8
Cisco Catalyst Switch Module 3110 and 3012 for IBM BladeCenter Software Configuration Guide
OL-12189-01
Chapter 9 Configuring IEEE 802.1x Port-Based Authentication
Understanding IEEE 802.1x Port-Based Authentication
If the client is successfully authenticated (receives an Accept frame from the authentication server), the
port state changes to authorized, and all frames from the authenticated client are allowed through the
port. If the authentication fails, the port remains in the unauthorized state, but authentication can be
retried. If the authentication server cannot be reached, the switch can resend the request. If no response
is received from the server after the specified number of attempts, authentication fails, and network
access is not granted.
When a client logs off, it sends an EAPOL-logoff message, causing the switch port to change to the
unauthorized state.
If the link state of a port changes from up to down, or if an EAPOL-logoff frame is received, the port
returns to the unauthorized state.
IEEE 802.1x Authentication and Switch Stacks
If a switch is added to or removed from a switch stack, IEEE 802.1x authentication is not affected as
long as the IP connectivity between the RADIUS server and the stack remains intact. This statement also
applies if the stack master is removed from the switch stack. Note that if the stack master fails, a stack
member becomes the new stack master by using the election process described in Chapter 5, “Managing
Switch Stacks,” and the IEEE 802.1x authentication process continues as usual.
If IP connectivity to the RADIUS server is interrupted because the switch that was connected to the
server is removed or fails, these events occur:
• Ports that are already authenticated and that do not have periodic re-authentication enabled remain
in the authenticated state. Communication with the RADIUS server is not required.
• Ports that are already authenticated and that have periodic re-authentication enabled (with the dot1x
re-authentication global configuration command) fail the authentication process when the
re-authentication occurs. Ports return to the unauthenticated state during the re-authentication
process. Communication with the RADIUS server is required.
For an ongoing authentication, the authentication fails immediately because there is no server
connectivity.
If the switch that failed comes up and rejoins the switch stack, the authentications might or might not
fail depending on the boot-up time and whether the connectivity to the RADIUS server is re-established
by the time the authentication is attempted.
To avoid loss of connectivity to the RADIUS server, you should ensure that there is a redundant
connection to it. For example, you can have a redundant connection to the stack master and another to a
stack member, and if the stack master fails, the switch stack still has connectivity to the RADIUS server.
IEEE 802.1x Host Mode
Note The switch is usually not configured in the network configuration shown in Figure 9-5.
You can configure an IEEE 802.1x port for single-host or for multiple-hosts mode. In single-host mode
(see Figure 9-1 on page 9-2), only one client can be connected to the IEEE 802.1x-enabled switch port.
The switch detects the client by sending an EAPOL frame when the port link state changes to the up
state. If a client leaves or is replaced with another client, the switch changes the port link state to down,
and the port returns to the unauthorized state.