Cisco Systems 3130 User Manual

9-4

Cisco Catalyst Blade Switch 3130 for Dell Software Configuration Guide

OL-13270-01

Chapter 9 Configuring IEEE 802.1x Port-Based Authentication

Understanding IEEE 802.1x Port-Based Authentication

shows the authentication process.

If Multi Domain Authentication (MDA) is enabled on a port, this flow can be used with some exceptions
that are applicable to voice authorization. For more information on MDA, see

“Using Multidomain

Authentication” section on page 9-20

Figure 9-2

Authentication Flowchart

The switch re-authenticates a client when one of these situations occurs:

•

Periodic re-authentication is enabled, and the re-authentication timer expires.

You can configure the re-authentication timer to use a switch-specific value or to be based on values
from the RADIUS server.

After IEEE 802.1x authentication using a RADIUS server is configured, the switch uses timers
based on the Session-Timeout RADIUS attribute (Attribute[27]) and the Termination-Action
RADIUS attribute (Attribute [29]).

141679

Yes

Client
identity is
invalid

All authentication
servers are down.

Client
identity is
valid

The switch gets an

EAPOL message,

and the EAPOL

message

exchange begins.

Yes

1 = This occurs if the switch does not detect EAPOL packets from the client.

Client MAC
address
identity
is invalid.

Client MAC
address
identity
is valid.

Is the client IEEE

802.1x capable?

Start IEEE 802.1x port-based

authentication.

Use inaccessible

authentication bypass

(critical authentication)

to assign the critical

port to a VLAN.

IEEE 802.1x authentication

process times out.

Is MAC authentication

bypass enabled?

Use MAC authentication

bypass.

Assign the port to

a guest VLAN.

Start

Done

Assign the port to

a VLAN.

Done

Assign the port to

a VLAN.

Done

Assign the port to

a restricted VLAN.

Done