Chapter 10
Configuring IEEE 802.1x Port-Based Authentication
802.1x Authentication with Inaccessible Authentication Bypass
The Inaccessible Authentication Bypass feature (formally known as Critical-Auth) provides the ability
to configure an 802.1X or MAB authenticated switch port to furnish connected hosts with special
network access in the event that the RADIUS servers are unavailable to provide authentication. You
configure a particular access VLAN for this critical access (known as the Critical VLAN) and optionally
configure the port to reinitialize authentication when a RADIUS servers becomes available.
The Inaccessible Authentication Bypass feature is triggered under either of these conditions:
•
•
In either case, the switch immediately assigns the host attempting to authenticate on the port to the
configured Critical VLAN. Hosts with established authentication sessions are not affected.
By default, any host that has been authenticated through Inaccessible Authentication Bypass remains in
the Critical VLAN until the link goes down. If the authentication event server alive action reinitialize
command has been configured on the port, then all authentication sessions on the port will be
reauthenticated as soon as one of the configured RADIUS servers transitions into the up state.
To enable Inaccessible Authentication Bypass on a switch port, use the authentication event server
dead action authorize vlan vlan-id interface configuration command.
To enable reauthentication when the RADIUS servers become available, use the authentication event
server alive action reinitialize interface configuration command.
For more detailed configuration information, see the
and Critical Voice VLAN" section on page
Overview of Authentication Results
The behavior of the Inaccessible Authentication Bypass feature varies depending on the authorization
state of the switch port and RADIUS servers when the feature is triggered:
•
•
•
Single-Host Mode Port Behavior
On a single-host mode switch port, the Inaccessible Authentication Bypass feature operates as described
in
"Overview of Authentication
more than a single host is detected on the switch port, then the switch port enters an err-disable state.
OL-26520-01
All configured RADIUS servers enter the dead state during an authentication attempt
A port with Inaccessible Authentication Bypass comes up while all configured RADIUS servers are
in the dead state
If the port is unauthorized and the RADIUS servers are unavailable when a host attempts to
authenticate, the switch places the port in the critical-authentication state, authorized in the
configured Critical VLAN.
If the port is attempting an authentication and the RADIUS servers become unavailable during the
exchange, the exchange times out and the switch places the port in the critical-authentication state,
authorized in the configured Critical VLAN during the next authentication attempt.
If the port is already authorized and all of the RADIUS servers become unavailable, then the
Inaccessible Authentication Bypass feature is triggered during the next reauthentication attempt. At
that time, if the RADIUS servers are still unavailable, the switch moves the port into the
critical-authentication state, suspends the reauthentication timers, and begins ignoring any
EAPOL-Start messages on the switch port. Any VLAN assignments made during the previously
successful authorizations are retained.
Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE
Understanding IEEE 802.1x Port-Based Authentication
"Configuring Inaccessible Authentication Bypass
10-56.
Results" for a single host. As expected on a single-host mode port, if
10-25