Cisco Catalyst 2960 Software Configuration Manual page 272
Hide thumbs
Also See for Catalyst 2960:
- Configuration manual (2288 pages) ,
- Command reference manual (800 pages) ,
- Hardware installation manual (108 pages)
Table of Contents
Advertisement
Understanding IEEE 802.1x Port-Based Authentication
Authentication Process
When 802.1x port-based authentication is enabled and the client supports 802.1x-compliant client
software, these events occur:
•
•
•
•
Note
Figure 10-2
User does not have a
certificate but the system
previously logged on to
the network using
a computer certificate.
Assign the port to
Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE
10-4
If the client identity is valid and the 802.1x authentication succeeds, the switch grants the client
access to the network.
If 802.1x authentication times out while waiting for an EAPOL message exchange and MAC
authentication bypass is enabled, the switch can use the client MAC address for authorization. If the
client MAC address is valid and the authorization succeeds, the switch grants the client access to the
network. If the client MAC address is invalid and the authorization fails, the switch assigns the client
to a guest VLAN that provides limited services if a guest VLAN is configured.
If the switch gets an invalid identity from an 802.1x-capable client and a restricted VLAN is
specified, the switch can assign the client to a restricted VLAN that provides limited services.
If the RADIUS authentication server is unavailable (down) and inaccessible authentication bypass
is enabled, the switch grants the client access to the network by putting the port in the
critical-authentication state in the RADIUS-configured or the user-specified access VLAN.
Inaccessible authentication bypass is also referred to as critical authentication or the AAA fail
policy.
Authentication Flowchart
Start IEEE 802.1x port-based
Client
identity is
invalid
Assign the port to
a guest VLAN.
a restricted VLAN.
Done
Done
authentication bypass
(critical authentication)
to assign the critical
Chapter 10
Start
No
Is the client IEEE
IEEE 802.1x authentication
802.1x capable?
process times out.
Yes
The switch gets an
EAPOL message,
and the EAPOL
message
exchange begins.
authentication.
Client
identity is
valid
Assign the port to
a VLAN.
Done
All authentication
servers are down.
Use inaccessible
port to a VLAN.
Done
Configuring IEEE 802.1x Port-Based Authentication
Is MAC authentication
bypass enabled? 1
Yes
Use MAC authentication
1
bypass.
Client MAC
address
identity
is valid.
Assign the port to
Assign the port to
a VLAN.
a guest VLAN.
Done
All authentication
servers are down.
1 = This occurs if the switch does not
detect EAPOL packets from the client.
No
Client MAC
address
identity
is invalid.
1
Done
OL-26520-01
Hide quick links:
Advertisement
Chapters
Table of Contents
Troubleshooting
