Cisco Systems 3560 Manual De Usuario
10-20
Catalyst 3560 Switch Software Configuration Guide
OL-8553-06
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication
Understanding IEEE 802.1x Port-Based Authentication
When this feature is enabled, the switch checks the status of the configured RADIUS servers whenever
the switch tries to authenticate a host connected to a critical port. If a server is available, the switch can
authenticate the host. However, if all the RADIUS servers are unavailable, the switch grants network
access to the host and puts the port in the critical-authentication state, which is a special case of the
authentication state.
the switch tries to authenticate a host connected to a critical port. If a server is available, the switch can
authenticate the host. However, if all the RADIUS servers are unavailable, the switch grants network
access to the host and puts the port in the critical-authentication state, which is a special case of the
authentication state.
The behavior of the inaccessible authentication bypass feature depends on the authorization state of the
port:
port:
•
If the port is unauthorized when a host connected to a critical port tries to authenticate and all servers
are unavailable, the switch puts the port in the critical-authentication state in the
RADIUS-configured or user-specified access VLAN.
are unavailable, the switch puts the port in the critical-authentication state in the
RADIUS-configured or user-specified access VLAN.
•
If the port is already authorized and re-authentication occurs, the switch puts the critical port in the
critical-authentication state in the current VLAN, which might be the one previously assigned by
the RADIUS server.
critical-authentication state in the current VLAN, which might be the one previously assigned by
the RADIUS server.
•
If the RADIUS server becomes unavailable during an authentication exchange, the current
exchanges times out, and the switch puts the critical port in the critical-authentication state during
the next authentication attempt.
exchanges times out, and the switch puts the critical port in the critical-authentication state during
the next authentication attempt.
When a RADIUS server that can authenticate the host is available, all critical ports in the
critical-authentication state are automatically re-authenticated.
critical-authentication state are automatically re-authenticated.
Inaccessible authentication bypass interacts with these features:
•
Guest VLAN—Inaccessible authentication bypass is compatible with guest VLAN. When a guest
VLAN is enabled on 8021.x port, the features interact as follows:
VLAN is enabled on 8021.x port, the features interact as follows:
–
If at least one RADIUS server is available, the switch assigns a client to a guest VLAN when
the switch does not receive a response to its EAP request/identity frame or when EAPOL
packets are not sent by the client.
the switch does not receive a response to its EAP request/identity frame or when EAPOL
packets are not sent by the client.
–
If all the RADIUS servers are not available and the client is connected to a critical port, the
switch authenticates the client and puts the critical port in the critical-authentication state in the
RADIUS-configured or user-specified access VLAN.
switch authenticates the client and puts the critical port in the critical-authentication state in the
RADIUS-configured or user-specified access VLAN.
–
If all the RADIUS servers are not available and the client is not connected to a critical port, the
switch might not assign clients to the guest VLAN if one is configured.
switch might not assign clients to the guest VLAN if one is configured.
–
If all the RADIUS servers are not available and if a client is connected to a critical port and was
previously assigned to a guest VLAN, the switch keeps the port in the guest VLAN.
previously assigned to a guest VLAN, the switch keeps the port in the guest VLAN.
•
Restricted VLAN—If the port is already authorized in a restricted VLAN and the RADIUS servers
are unavailable, the switch puts the critical port in the critical-authentication state in the restricted
VLAN.
are unavailable, the switch puts the critical port in the critical-authentication state in the restricted
VLAN.
•
802.1x accounting—Accounting is not affected if the RADIUS servers are unavailable.
•
Private VLAN—You can configure inaccessible authentication bypass on a private VLAN host port.
The access VLAN must be a secondary private VLAN.
The access VLAN must be a secondary private VLAN.
•
Voice VLAN—Inaccessible authentication bypass is compatible with voice VLAN, but the
RADIUS-configured or user-specified access VLAN and the voice VLAN must be different.
RADIUS-configured or user-specified access VLAN and the voice VLAN must be different.
•
Remote Switched Port Analyzer (RSPAN)—Do not configure an RSPAN VLAN as the
RADIUS-configured or user-specified access VLAN for inaccessible authentication bypass.
RADIUS-configured or user-specified access VLAN for inaccessible authentication bypass.