Cisco Catalyst 2960 Software Configuration Manual page 295
Hide thumbs
Also See for Catalyst 2960:
- Configuration manual (2288 pages) ,
- Command reference manual (800 pages) ,
- Hardware installation manual (108 pages)
Table of Contents
Advertisement
Chapter 10
Configuring IEEE 802.1x Port-Based Authentication
In contrast to the authentication event server dead action authorize vlan vlan-id command, which
leaves existing authentication sessions established, the reinitialize command causes all existing data
domain sessions to immediately reauthenticate, placing them into the configured Critical VLAN. This
reinitialization is triggered whenever the next new authentication attempt is made on the port while the
RADIUS servers are unavailable. After the port has been reinitialized, any new hosts attempting to
connect to the port are moved to the data domain and authorized on the Critical VLAN. The port is placed
in a critical-authentication state.
During a reinitialization event, an authenticated voice domain device is not reinitialized. This device
retains its authorized Voice VLAN.
If a port is configured with host mode multi-auth, the authentication event server dead action
Note
authorize vlan vlan-id command has no effect on the interface's behavior in the event that the RADIUS
server becomes unavailable.
Inaccessible Authentication Bypass Feature Interactions
Guest VLAN
Inaccessible Authentication Bypass is compatible with the Guest VLAN feature. When a device is
authorized using the Guest VLAN feature and Inaccessible Authentication Bypass is triggered, the port
enters the critical-authentication state, and the previously authorized Guest VLAN assignment is
retained.
Restricted VLAN
Inaccessible Authentication Bypass is compatible with the Restricted VLAN feature. When a device is
authorized using the Restricted VLAN feature and Inaccessible Authentication Bypass is triggered, the
port enters the critical-authentication state, and the previously authorized Restricted VLAN assignment
is retained.
Private VLAN
Inaccessible Authentication Bypass is compatible with the Private VLAN feature. However, the
configured Critical VLAN must be a secondary private VLAN.
Switch Stack
The stack master switch checks the status of the RADIUS servers by periodically sending keepalive
packets. When the stack master switch detects a change in the status of one of the configured RADIUS
servers, it sends a notification to each stack member switch. This allows the stack members to check the
status of RADIUS servers when reauthenticating switch ports with Inaccessible Authentication Bypass
enabled. If a new member switch is added to the stack, the stack master switch sends the member the
RADIUS server statuses.
If the new stack master switch is elected, the link between the switch stack and RADIUS server might
change. Consequently, the new stack master switch immediately sends keepalive packets to update the
status of every RADIUS server.
If a RADIUS server status changes from dead to up, all of the stack switches reauthenticate all switch
ports currently in the critical-authentication state.
OL-26520-01
Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE
Understanding IEEE 802.1x Port-Based Authentication
10-27
Hide quick links:
Advertisement
Chapters
Table of Contents
Troubleshooting
