Filter
Top Products
10-12
Catalyst 3750-E and 3560-E Switch Software Configuration Guide
OL-9775-02
Chapter10 Configuring IEEE 802.1x Port-Based Authentication
Understanding IEEE 802.1x Port-Based Authentication
You can use the Filter-Id attribute to specify an inbound or outbound ACL that is already configured on
the switch. The attribute contains the ACL number followed by .in for ingress filtering or .out for egress
filtering. If the RADIUS server does not allow the .in or .out syntax, the access list is applied to the
outbound ACL by default. Because of limited support of Cisco IOS access lists on the switch, the
Filter-Id attribute is supported only for IP ACLs numbered 1 to 199 and 1300 to 2699 (IP standard and
IP extended ACLs).
Only one IEEE 802.1x-authenticated user is supported on a port. If the multiple-hosts mode is enabled
on the port, the per-user ACL attribute is disabled for the associated port.
The maximum size of the per-user ACL is 4000 ASCII characters but is limited by the maximum size of
RADIUS-server per-user ACLs.
For examples of vendor-specific attributes, see the “Configuring the Switch to Use Vendor-Specific
RADIUS Attributes” section on page 9-29. For more information about configuring ACLs, see
Chapter 34, “Configuring Network Security with ACLs.”
To configure per-user ACLs, you need to perform these tasks:
• Enable AAA authentication.
• Enable AAA authorization by using the network keyword to allow interface configuration from the
RADIUS server.
• Enable IEEE 802.1x authentication.
• Configure the user profile and VSAs on the RADIUS server.
• Configure the IEEE 802.1x port for single-host mode.
Using IEEE 802.1x Authentication with Guest VLAN
You can configure a guest VLAN for each IEEE 802.1x port on the switch to provide limited services
to clients, such as downloading the IEEE 802.1x client. These clients might be upgrading their system
for IEEE 802.1x authentication, and some hosts, such as Windows 98 systems, might not be
IEEE 802.1x-capable.
When you enable a guest VLAN on an IEEE 802.1x port, the switch assigns clients to a guest VLAN
when the switch does not receive a response to its EAP request/identity frame or when EAPOL packets
are not sent by the client.
The switch maintains the EAPOL packet history. If an EAPOL packet is detected on the interface during
the lifetime of the link, the switch determines that the device connected to that interface is an
IEEE 802.1x-capable supplicant, and the interface does not change to the guest VLAN state. EAPOL
history is cleared if the interface link status goes down. If no EAPOL packet is detected on the interface,
the interface changes to the guest VLAN state.
Use a restricted VLAN to allow clients that failed authentication access to the network by entering the
dot1x auth-fail vlan vlan-id interface configuration command.
If devices send EAPOL packets to the switch during the lifetime of the link, the switch no longer allows
clients that fail authentication access to the guest VLAN.
Note If an EAPOL packet is detected after the interface has changed to the guest VLAN, the interface reverts
to an unauthorized state, and IEEE 802.1x authentication restarts.