IBM 12.1(22)EA6 User Manual
6-9
Cisco Systems Intelligent Gigabit Ethernet Switch Modules for the IBM BladeCenter, Software Configuration Guide
24R9746
Chapter 6 Configuring IEEE 802.1x Port-Based Authentication
Understanding IEEE 802.1x Port-Based Authentication
•
If IEEE 802.1x and port security are enabled on a port, the port is placed in the RADIUS-server
assigned VLAN.
assigned VLAN.
•
If IEEE 802.1x is disabled on the port, it is returned to the configured access VLAN.
When the port is in the force authorized, force unauthorized, unauthorized, or shutdown state, it is placed
in the configured access VLAN.
in the configured access VLAN.
If an IEEE 802.1x port is authenticated and put in the RADIUS-server assigned VLAN, any change to
the port access VLAN configuration does not take effect.
the port access VLAN configuration does not take effect.
The IEEE 802.1x with VLAN assignment feature is not supported on trunk ports, dynamic ports, or with
dynamic-access port assignment through a VLAN Membership Policy Server (VMPS).
dynamic-access port assignment through a VLAN Membership Policy Server (VMPS).
To configure VLAN assignment you need to perform these tasks:
•
Enable AAA authorization.
•
Enable IEEE 802.1x (the VLAN assignment feature is automatically enabled when you configure
IEEE 802.1x on an access port).
IEEE 802.1x on an access port).
•
Assign vendor-specific tunnel attributes in the RADIUS server. The RADIUS server must return
these attributes to the switch:
these attributes to the switch:
–
[64] Tunnel-Type = VLAN
–
[65] Tunnel-Medium-Type = IEEE 802
–
[81] Tunnel-Private-Group-ID = VLAN name or VLAN ID
Attribute [64] must contain the value VLAN (type 13). Attribute [65] must contain the value IEEE
802 (type 6). Attribute [81] specifies the VLAN name or VLAN ID assigned to the IEEE
802.1x-authenticated user.
802 (type 6). Attribute [81] specifies the VLAN name or VLAN ID assigned to the IEEE
802.1x-authenticated user.
For examples of tunnel attributes, see the
Using IEEE 802.1x with Guest VLAN
You can configure a guest VLAN for each IEEE 802.1x port on the switch to provide limited services
to clients, such as downloading the IEEE 802.1x client. These clients might be upgrading their system
for IEEE 802.1x authentication, and some hosts, such as Windows 98 systems, might not be IEEE
802.1x-capable.
to clients, such as downloading the IEEE 802.1x client. These clients might be upgrading their system
for IEEE 802.1x authentication, and some hosts, such as Windows 98 systems, might not be IEEE
802.1x-capable.
When you enable a guest VLAN on an IEEE 802.1x port, the switch assigns clients to a guest VLAN
when the switch does not receive a response to its EAP request/identity frame or when EAPOL packets
are not sent by the client.
when the switch does not receive a response to its EAP request/identity frame or when EAPOL packets
are not sent by the client.
Before Cisco IOS Release 12.1(22)AY, the switch did not maintain the EAPOL packet history and
allowed clients that failed authentication access to the guest VLAN, regardless of whether EAPOL
packets had been detected on the interface. You can enable this optional behavior by using the dot1x
guest-vlan supplicant global configuration command.
allowed clients that failed authentication access to the guest VLAN, regardless of whether EAPOL
packets had been detected on the interface. You can enable this optional behavior by using the dot1x
guest-vlan supplicant global configuration command.
With Cisco IOS Release 12.1(22)AY and later, the switch maintains the EAPOL packet history. If an
EAPOL packet is detected on the interface during the lifetime of the link, the switch determines that the
device connected to that interface is an 802.1x-capable supplicant, and the interface does not transition
to the guest VLAN state. EAPOL history is cleared if the interface link status goes down. If no EAPOL
packet is detected on the interface, it is transitioned to the guest VLAN state.
EAPOL packet is detected on the interface during the lifetime of the link, the switch determines that the
device connected to that interface is an 802.1x-capable supplicant, and the interface does not transition
to the guest VLAN state. EAPOL history is cleared if the interface link status goes down. If no EAPOL
packet is detected on the interface, it is transitioned to the guest VLAN state.