Support User Manuals

Cisco Systems WSC4500X24XIPB Switch User Manual

Open as PDF

of 680

29-2

Software Configuration Guide—Release 12.2(25)SG

OL-7659-03

Chapter 29 Understanding and Configuring 802.1X Port-Based Authentication

Understanding 802.1X Port-Based Authentication

• Authentication Initiation and Message Exchange, page 29-3

• Ports in Authorized and Unauthorized States, page 29-4

• Using 802.1X with VLAN Assignment, page 29-5

• Using 802.1X Authentication for Guest VLANs, page 29-6

• Using 802.1X with Authentication Failed VLAN Assignment, page 29-7

• Using 802.1X with Port Security, page 29-8

• Using 802.1X with RADIUS-Provided Session Timeouts, page 29-9

• Using 802.1X with RADIUS Accounting, page 29-10

• Using 802.1X with Voice VLAN Ports, page 29-12

• Supported Topologies, page 29-13

Device Roles

With 802.1X port-based authentication, network devices have specific roles. Figure 29-1 shows the role

of each device, which is described below.

Figure 29-1 802.1X Device Roles

•

Client—The workstation that requests access to the LAN, and responds to requests from the switch.

The workstation must be running 802.1X-compliant client software.

Note For more information on 802.1X-compliant client application software such as Microsoft

Windows 2000 Professional or Windows XP, refer to the Microsoft Knowledge Base article

at this URL: http://support.microsoft.com

• Authenticator—Controls physical access to the network based on the authentication status of the

client. The switch acts as an intermediary between the client and the authentication server,

requesting identity information from the client, verifying that information with the authentication

server, and relaying a response to the client. The switch encapsulates and decapsulates the

Extensible Authentication Protocol (EAP) frames and interacts with the RADIUS authentication

server.

When the switch receives EAPOL frames and relays them to the authentication server, the Ethernet

header is stripped and the remaining EAP frame is reencapsulated in the RADIUS format. The EAP

frames are not modified or examined during encapsulation, and the authentication server must

Client

Workstations

Supplicants

Authenticator

Authentication

server

94158

Catalyst 4500 Network

Access Switch

RADIUS

previous next