hit counter script

X Authentication With Restricted Vlan - Cisco Catalyst 3560-X Software Configuration Manual

Hide thumbs Also See for Catalyst 3560-X:
Table of Contents

Advertisement

Chapter 1
Configuring IEEE 802.1x Port-Based Authentication
Understanding IEEE 802.1x Port-Based Authentication
The switch supports MAC authentication bypass. When MAC authentication bypass is enabled on
an 802.1x port, the switch can authorize clients based on the client MAC address when IEEE 802.1x
authentication times out while waiting for an EAPOL message exchange. After detecting a client on
an 802.1x port, the switch waits for an Ethernet packet from the client. The switch sends the
authentication server a RADIUS-access/request frame with a username and password based on the MAC
address. If authorization succeeds, the switch grants the client access to the network. If authorization
fails, the switch assigns the port to the guest VLAN if one is specified. For more information, see the
"IEEE 802.1x Authentication with MAC Authentication Bypass" section on page
1-29.
For more information, see the
"Configuring a Guest VLAN" section on page
1-60.

802.1x Authentication with Restricted VLAN

You can configure a restricted VLAN (also referred to as an authentication failed VLAN) for each
IEEE 802.1x port on a switch stack or a switch to provide limited services to clients that cannot access
the guest VLAN. These clients are 802.1x-compliant and cannot access another VLAN because they fail
the authentication process. A restricted VLAN allows users without valid credentials in an authentication
server (typically, visitors to an enterprise) to access a limited set of services. The administrator can
control the services available to the restricted VLAN.
You can configure a VLAN to be both the guest VLAN and the restricted VLAN if you want to provide
Note
the same services to both types of users.
Without this feature, the client attempts and fails authentication indefinitely, and the switch port remains
in the spanning-tree blocking state. With this feature, you can configure the switch port to be in the
restricted VLAN after a specified number of authentication attempts (the default value is 3 attempts).
The authenticator counts the failed authentication attempts for the client. When this count exceeds the
configured maximum number of authentication attempts, the port moves to the restricted VLAN. The
failed attempt count increments when the RADIUS server replies with either an EAP failure or an empty
response without an EAP packet. When the port moves into the restricted VLAN, the failed attempt
counter resets.
Users who fail authentication remain in the restricted VLAN until the next re-authentication attempt. A
port in the restricted VLAN tries to re-authenticate at configured intervals (the default is 60 seconds). If
re-authentication fails, the port remains in the restricted VLAN. If re-authentication is successful, the
port moves either to the configured VLAN or to a VLAN sent by the RADIUS server. You can disable
re-authentication. If you do this, the only way to restart the authentication process is for the port to
receive a link down or EAP logoff event. We recommend that you keep re-authentication enabled if a
client might connect through a hub. When a client disconnects from the hub, the port might not receive
the link down or EAP logoff event.
After a port moves to the restricted VLAN, a simulated EAP success message is sent to the client. This
prevents clients from indefinitely attempting authentication. Some clients (for example, devices running
Windows XP) cannot implement DHCP without EAP success.
Restricted VLANs are supported only on 802.1x ports in single-host mode and on Layer 2 ports.
You can configure any active VLAN except an RSPAN VLAN, a primary private VLAN, or a voice
VLAN as an 802.1x restricted VLAN. The restricted VLAN feature is not supported on internal VLANs
(routed ports) or trunk ports; it is supported only on access ports.
Other security port features such as dynamic ARP Inspection, DHCP snooping, and IP source guard can
be configured independently on a restricted VLAN.
Catalyst 3750-X and 3560-X Switch Software Configuration Guide
1-22
OL-25303-03

Advertisement

Table of Contents
loading

This manual is also suitable for:

Catalyst 3750-x

Table of Contents