Cisco Systems 2960 User Manual
10-5
Catalyst 2960 and 2960-S Switch Software Configuration Guide
OL-8603-09
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication
Understanding IEEE 802.1x Port-Based Authentication
shows the authentication process.
Figure 10-2
Authentication Flowchart
The switch re-authenticates a client when one of these situations occurs:
•
Periodic re-authentication is enabled, and the re-authentication timer expires.
You can configure the re-authentication timer to use a switch-specific value or to be based on values
from the RADIUS server.
from the RADIUS server.
After 802.1x authentication using a RADIUS server is configured, the switch uses timers based on
the Session-Timeout RADIUS attribute (Attribute[27]) and the Termination-Action RADIUS
attribute (Attribute [29]).
the Session-Timeout RADIUS attribute (Attribute[27]) and the Termination-Action RADIUS
attribute (Attribute [29]).
The Session-Timeout RADIUS attribute (Attribute[27]) specifies the time after which
re-authentication occurs.
re-authentication occurs.
141679
Yes
No
Client
identity is
invalid
identity is
invalid
All authentication
servers are down.
servers are down.
All authentication
servers are down.
servers are down.
Client
identity is
valid
identity is
valid
The switch gets an
EAPOL message,
and the EAPOL
message
exchange begins.
Yes
No
1
1
1
1 = This occurs if the switch does not detect EAPOL packets from the client.
Client MAC
address
identity
is invalid.
address
identity
is invalid.
Client MAC
address
identity
is valid.
address
identity
is valid.
Is the client IEEE
802.1x capable?
Start IEEE 802.1x port-based
authentication.
Use inaccessible
authentication bypass
(critical authentication)
to assign the critical
port to a VLAN.
IEEE 802.1x authentication
process times out.
Is MAC authentication
bypass enabled?
Use MAC authentication
bypass.
Assign the port to
a guest VLAN.
Start
Done
Assign the port to
a VLAN.
Done
Done
Assign the port to
a VLAN.
Done
Assign the port to
a restricted VLAN.
Done