X Authentication With Guest Vlan - Cisco Catalyst 3560-X Software Configuration Manual
Hide thumbs
Also See for Catalyst 3560-X:
- Command reference manual (1188 pages) ,
- Software configuration manual (1438 pages) ,
- Manual (276 pages)
Table of Contents
Advertisement
Chapter 1
Configuring IEEE 802.1x Port-Based Authentication
This feature is not supported on Cisco ACS Server. (The ACS server ignores the sent VLAN-IDs for new
Note
hosts and only authenticates based on the MAC address.)
For configuration information, see the
page
"Configuring MAC Authentication Bypass" section on page
802.1x Authentication with Guest VLAN
You can configure a guest VLAN for each 802.1x port on the switch to provide limited services to
clients, such as downloading the 802.1x client. These clients might be upgrading their system for 802.1x
authentication, and some hosts, such as Windows 98 systems, might not be IEEE 802.1x-capable.
When you enable a guest VLAN on an 802.1x802.1x port, the switch assigns clients to a guest VLAN
when the switch does not receive a response to its EAP request/identity frame or when EAPOL packets
are not sent by the client.
The switch maintains the EAPOL packet history. If an EAPOL packet is detected on the interface during
the lifetime of the link, the switch determines that the device connected to that interface is an
IEEE 802.1x-capable supplicant, and the interface does not change to the guest VLAN state. EAPOL
history is cleared if the interface link status goes down. If no EAPOL packet is detected on the interface,
the interface changes to the guest VLAN state.
If the switch is trying to authorize an 802.1x-capable voice device and the AAA server is unavailable,
the authorization attempt fails, but the detection of the EAPOL packet is saved in the EAPOL history.
When the AAA server becomes available, the switch authorizes the voice device. However, the switch
no longer allows other devices access to the guest VLAN. To prevent this situation, use one of these
command sequences:
•
•
Use a restricted VLAN to allow clients that failed authentication access to the network by entering the
dot1x auth-fail vlan vlan-id interface configuration command.
If devices send EAPOL packets to the switch during the lifetime of the link, the switch no longer allows
clients that fail authentication access to the guest VLAN.
If an EAPOL packet is detected after the interface has changed to the guest VLAN, the interface reverts
Note
to an unauthorized state, and 802.1x authentication restarts.
Any number of 802.1x-incapable clients are allowed access when the switch port is moved to the guest
VLAN. If an 802.1x-capable client joins the same port on which the guest VLAN is configured, the port
is put into the unauthorized state in the user-configured access VLAN, and authentication is restarted.
Guest VLANs are supported on 802.1x ports in single host, multiple host, or multi-domain modes.
You can configure any active VLAN except an RSPAN VLAN, a private VLAN, or a voice VLAN as an
802.1x guest VLAN. The guest VLAN feature is not supported on internal VLANs (routed ports) or
trunk ports; it is supported only on access ports.
OL-25303-03
1-73. Additional configuration is similar MAC authentication bypass, as described in the
Enter the authentication event no-response action authorize vlan vlan-id interface configuration
command to allow access to the guest VLAN.
Enter the shutdown interface configuration command followed by the no shutdown interface
configuration command to restart the port.
Understanding IEEE 802.1x Port-Based Authentication
"Configuring VLAN ID-based MAC Authentication" section on
1-66.
Catalyst 3750-X and 3560-X Switch Software Configuration Guide
1-21
Advertisement
Table of Contents
Troubleshooting
